Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 22:24
Static task
static1
Behavioral task
behavioral1
Sample
3b374dfe1fe2e394e0fafabbc72fc215.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3b374dfe1fe2e394e0fafabbc72fc215.exe
Resource
win10v2004-20231215-en
General
-
Target
3b374dfe1fe2e394e0fafabbc72fc215.exe
-
Size
511KB
-
MD5
3b374dfe1fe2e394e0fafabbc72fc215
-
SHA1
e0a6bcf7ba2dede3262cb1924ed59b8254dcbb2f
-
SHA256
6db83cda6f33d2cbc17c264e8526d0ad4039ef9cf8f50b7c378b86d1d5a074ed
-
SHA512
fec3bad431fc014b961d239cd4ec79644989e34d2e03cad874ae79c269dc5e7a560730a27079d9ccf578cfb12ee2531a0ff967fb471096c2dcb8621c8ef23041
-
SSDEEP
12288:Xo9XY/GaSyb9EUHIfuM101SqO/tiT4ED7x+74JWHTx8PqyY6hj+ihXIu5l:/7fELu2gWRI
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
m$ExnQx8 - Email To:
[email protected]
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral2/memory/4608-9-0x0000000005900000-0x0000000005916000-memory.dmp family_zgrat_v1 -
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
resource yara_rule behavioral2/memory/4184-10-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral2/memory/4184-15-0x00000000051E0000-0x00000000051F0000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 checkip.dyndns.org 28 freegeoip.app 29 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4608 set thread context of 4184 4608 3b374dfe1fe2e394e0fafabbc72fc215.exe 91 -
Program crash 1 IoCs
pid pid_target Process procid_target 4668 4184 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4184 3b374dfe1fe2e394e0fafabbc72fc215.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4184 3b374dfe1fe2e394e0fafabbc72fc215.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4608 wrote to memory of 4184 4608 3b374dfe1fe2e394e0fafabbc72fc215.exe 91 PID 4608 wrote to memory of 4184 4608 3b374dfe1fe2e394e0fafabbc72fc215.exe 91 PID 4608 wrote to memory of 4184 4608 3b374dfe1fe2e394e0fafabbc72fc215.exe 91 PID 4608 wrote to memory of 4184 4608 3b374dfe1fe2e394e0fafabbc72fc215.exe 91 PID 4608 wrote to memory of 4184 4608 3b374dfe1fe2e394e0fafabbc72fc215.exe 91 PID 4608 wrote to memory of 4184 4608 3b374dfe1fe2e394e0fafabbc72fc215.exe 91 PID 4608 wrote to memory of 4184 4608 3b374dfe1fe2e394e0fafabbc72fc215.exe 91 PID 4608 wrote to memory of 4184 4608 3b374dfe1fe2e394e0fafabbc72fc215.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b374dfe1fe2e394e0fafabbc72fc215.exe"C:\Users\Admin\AppData\Local\Temp\3b374dfe1fe2e394e0fafabbc72fc215.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\3b374dfe1fe2e394e0fafabbc72fc215.exe"C:\Users\Admin\AppData\Local\Temp\3b374dfe1fe2e394e0fafabbc72fc215.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 18283⤵
- Program crash
PID:4668
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4184 -ip 41841⤵PID:536
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3b374dfe1fe2e394e0fafabbc72fc215.exe.log
Filesize886B
MD5c20f5538a742328b529578351dc9c18a
SHA181ccedae485cc109b78ca630ca7d7968fcdbd84d
SHA2565605a8572fd4c8fe7f5419f21aeccb2478f210d954e3688bab8abedfdad74f81
SHA512e3d1ac8024905e09c12d26e7edb1117c0732f89f038251057738bba8e058b756c6718656f880265720dea2e217386ba5fbe2660044285980cb1b37931a90591d