Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
261s -
max time network
308s -
platform
windows10-1703_x64 -
resource
win10-20231023-en -
resource tags
arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system -
submitted
26/11/2023, 22:33
Static task
static1
Behavioral task
behavioral1
Sample
bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe
Resource
win10-20231023-en
General
-
Target
bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe
-
Size
1.6MB
-
MD5
3ff60bb00b635f8d94673252138c1319
-
SHA1
a41e71b7583d5b49f82b6afaab70f9d89c77e4d5
-
SHA256
bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169
-
SHA512
2d1da58a7021c9932a37f9be4569c19483b4a2dc169ccf0f978d21aa7720bb4bb7b822de693deebf2bedd0c12e370fc43ff7f0498cfa85d0ba0bf6da36d64d26
-
SSDEEP
49152:5ojy+A3cPEDkG+4LNl1R0FuWrDn74Vy6cewVs0B1H0:5ojyUMDVBr0FnrDTVtZ
Malware Config
Extracted
eternity
http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 2 IoCs
pid Process 5000 ms_update.exe 4996 ms_updater.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4996 set thread context of 2840 4996 ms_updater.exe 77 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2420 5000 WerFault.exe 71 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2840 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2840 AppLaunch.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 696 wrote to memory of 5000 696 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 71 PID 696 wrote to memory of 5000 696 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 71 PID 696 wrote to memory of 5000 696 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 71 PID 696 wrote to memory of 4996 696 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 72 PID 696 wrote to memory of 4996 696 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 72 PID 696 wrote to memory of 4996 696 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 72 PID 4996 wrote to memory of 2508 4996 ms_updater.exe 76 PID 4996 wrote to memory of 2508 4996 ms_updater.exe 76 PID 4996 wrote to memory of 2508 4996 ms_updater.exe 76 PID 4996 wrote to memory of 2840 4996 ms_updater.exe 77 PID 4996 wrote to memory of 2840 4996 ms_updater.exe 77 PID 4996 wrote to memory of 2840 4996 ms_updater.exe 77 PID 4996 wrote to memory of 2840 4996 ms_updater.exe 77 PID 4996 wrote to memory of 2840 4996 ms_updater.exe 77 PID 4996 wrote to memory of 2840 4996 ms_updater.exe 77 PID 4996 wrote to memory of 2840 4996 ms_updater.exe 77 PID 4996 wrote to memory of 2840 4996 ms_updater.exe 77 PID 2840 wrote to memory of 4984 2840 AppLaunch.exe 79 PID 2840 wrote to memory of 4984 2840 AppLaunch.exe 79 PID 2840 wrote to memory of 4984 2840 AppLaunch.exe 79 PID 4984 wrote to memory of 4448 4984 cmd.exe 81 PID 4984 wrote to memory of 4448 4984 cmd.exe 81 PID 4984 wrote to memory of 4448 4984 cmd.exe 81 PID 4984 wrote to memory of 4200 4984 cmd.exe 82 PID 4984 wrote to memory of 4200 4984 cmd.exe 82 PID 4984 wrote to memory of 4200 4984 cmd.exe 82 PID 4984 wrote to memory of 2864 4984 cmd.exe 83 PID 4984 wrote to memory of 2864 4984 cmd.exe 83 PID 4984 wrote to memory of 2864 4984 cmd.exe 83 PID 2840 wrote to memory of 1316 2840 AppLaunch.exe 84 PID 2840 wrote to memory of 1316 2840 AppLaunch.exe 84 PID 2840 wrote to memory of 1316 2840 AppLaunch.exe 84 PID 1316 wrote to memory of 2996 1316 cmd.exe 86 PID 1316 wrote to memory of 2996 1316 cmd.exe 86 PID 1316 wrote to memory of 2996 1316 cmd.exe 86 PID 1316 wrote to memory of 3688 1316 cmd.exe 87 PID 1316 wrote to memory of 3688 1316 cmd.exe 87 PID 1316 wrote to memory of 3688 1316 cmd.exe 87 PID 1316 wrote to memory of 4164 1316 cmd.exe 88 PID 1316 wrote to memory of 4164 1316 cmd.exe 88 PID 1316 wrote to memory of 4164 1316 cmd.exe 88 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe"C:\Users\Admin\AppData\Local\Temp\bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Users\Admin\AppData\Roaming\ms_update.exe"C:\Users\Admin\AppData\Roaming\ms_update.exe"2⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1483⤵
- Program crash
PID:2420
-
-
-
C:\Users\Admin\AppData\Roaming\ms_updater.exe"C:\Users\Admin\AppData\Roaming\ms_updater.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:2508
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2840 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:4448
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile5⤵PID:4200
-
-
C:\Windows\SysWOW64\findstr.exefindstr All5⤵PID:2864
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key4⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:2996
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile name="65001" key=clear5⤵PID:3688
-
-
C:\Windows\SysWOW64\findstr.exefindstr Key5⤵PID:4164
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
917KB
MD5752e7cc2c62a2e72bf3fb831587a3ec8
SHA199cf461ed01e827cc563046e3521e396b74b1499
SHA256460454df164ddab147f172549c39ff33a3f54ec09f49f809119eb69a67698731
SHA512c688c424e81be011db52312148be14ce4836657916dfed270b445b74682488fdb63b583e1c1124a14c2ddb049486182dff599faa8c41b2d1eced1e2d2e25e318
-
Filesize
443KB
MD58a2c454b6571e226223f0f0ffc03f58b
SHA1c5c83e9769d35c7ac5efa45d228117453b87621e
SHA2567aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36
SHA512c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09
-
Filesize
443KB
MD58a2c454b6571e226223f0f0ffc03f58b
SHA1c5c83e9769d35c7ac5efa45d228117453b87621e
SHA2567aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36
SHA512c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09