Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    239s
  • max time network
    288s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2024, 10:02 UTC

General

  • Target

    409021962f521632561d4cb8b5ff2a1a.exe

  • Size

    2.9MB

  • MD5

    409021962f521632561d4cb8b5ff2a1a

  • SHA1

    1ce4ef8554a104087c4c70ec9946e0156f7f6fda

  • SHA256

    c8f5eb62c605962a4705a52a75280589a8b26952613ad093289036b2ed404627

  • SHA512

    380cd71d27a17bb237841afc2f3d7ca6d87658b8a778f2d2b595910b79ad3268e51b0000493be9d4dc79fef5bd2902a3e95982d6a194d006c487171bd70ebc29

  • SSDEEP

    24576:gRmJkcoQricOIQxiZY1iamoEZ3dMo2+6mTY4E4yKTiFWH+zuwfsUNXzpdenr/gT4:VJZoQrbTFZY1iamf

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    udi@udiplc.net
  • Password:
    Google.@12

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\409021962f521632561d4cb8b5ff2a1a.exe
    "C:\Users\Admin\AppData\Local\Temp\409021962f521632561d4cb8b5ff2a1a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Accesses Microsoft Outlook accounts
        • Suspicious use of AdjustPrivilegeToken
        PID:632
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2064

Network

  • flag-us
    DNS
    whatismyipaddress.com
    RegSvcs.exe
    Remote address:
    8.8.8.8:53
    Request
    whatismyipaddress.com
    IN A
    Response
    whatismyipaddress.com
    IN A
    104.16.154.36
    whatismyipaddress.com
    IN A
    104.16.155.36
  • flag-us
    DNS
    whatismyipaddress.com
    RegSvcs.exe
    Remote address:
    8.8.8.8:53
    Request
    whatismyipaddress.com
    IN A
  • flag-us
    GET
    http://whatismyipaddress.com/
    RegSvcs.exe
    Remote address:
    104.16.154.36:80
    Request
    GET / HTTP/1.1
    Host: whatismyipaddress.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Thu, 04 Jan 2024 10:05:30 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Thu, 04 Jan 2024 11:05:30 GMT
    Location: https://whatismyipaddress.com/
    Set-Cookie: __cf_bm=QKcaVjEpZBLDamhyjj3oevNhUNeMQFf36R.D6kBxwE0-1704362730-1-AeiaigxPrGZk6gJqwSQfaQwmvGTk1G4Zn676haA4m4kospEkkJ/l5oEMWX2FjqDqYiMu76qSBGNvAsYcKznpV3s=; path=/; expires=Thu, 04-Jan-24 10:35:30 GMT; domain=.whatismyipaddress.com; HttpOnly
    Server: cloudflare
    CF-RAY: 8402a9d91915749d-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    smtp.gmail.com
    RegSvcs.exe
    Remote address:
    8.8.8.8:53
    Request
    smtp.gmail.com
    IN A
    Response
    smtp.gmail.com
    IN A
    142.250.145.108
  • 104.16.154.36:80
    http://whatismyipaddress.com/
    http
    RegSvcs.exe
    399 B
    1.4kB
    7
    5

    HTTP Request

    GET http://whatismyipaddress.com/

    HTTP Response

    301
  • 104.16.154.36:443
    whatismyipaddress.com
    tls
    RegSvcs.exe
    355 B
    219 B
    5
    5
  • 104.16.154.36:443
    whatismyipaddress.com
    tls
    RegSvcs.exe
    355 B
    219 B
    5
    5
  • 142.250.145.108:587
    smtp.gmail.com
    smtp
    RegSvcs.exe
    1.2kB
    6.3kB
    16
    18
  • 8.8.8.8:53
    whatismyipaddress.com
    dns
    RegSvcs.exe
    134 B
    99 B
    2
    1

    DNS Request

    whatismyipaddress.com

    DNS Request

    whatismyipaddress.com

    DNS Response

    104.16.154.36
    104.16.155.36

  • 8.8.8.8:53
    smtp.gmail.com
    dns
    RegSvcs.exe
    60 B
    76 B
    1
    1

    DNS Request

    smtp.gmail.com

    DNS Response

    142.250.145.108

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\holdermail.txt

    Filesize

    400B

    MD5

    de4e5ff058882957cf8a3b5f839a031f

    SHA1

    0b3d8279120fb5fa27efbd9eee89695aa040fc24

    SHA256

    ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49

    SHA512

    a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

  • memory/632-18-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

  • memory/632-61-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

  • memory/632-53-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

  • memory/632-33-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

  • memory/632-32-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

  • memory/632-22-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

  • memory/632-24-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

  • memory/632-26-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

  • memory/632-30-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

  • memory/632-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/632-20-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

  • memory/2064-51-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2064-34-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2064-48-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2064-46-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2064-42-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2064-40-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2064-38-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2064-36-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/3012-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/3012-0-0x0000000000400000-0x0000000000522000-memory.dmp

    Filesize

    1.1MB

  • memory/3012-7-0x0000000000400000-0x0000000000522000-memory.dmp

    Filesize

    1.1MB

  • memory/3012-17-0x00000000009E0000-0x0000000000A20000-memory.dmp

    Filesize

    256KB

  • memory/3012-5-0x0000000000400000-0x0000000000522000-memory.dmp

    Filesize

    1.1MB

  • memory/3012-13-0x00000000009E0000-0x0000000000A20000-memory.dmp

    Filesize

    256KB

  • memory/3012-12-0x0000000074150000-0x00000000746FB000-memory.dmp

    Filesize

    5.7MB

  • memory/3012-11-0x0000000000400000-0x0000000000522000-memory.dmp

    Filesize

    1.1MB

  • memory/3012-49-0x0000000074150000-0x00000000746FB000-memory.dmp

    Filesize

    5.7MB

  • memory/3012-14-0x0000000074150000-0x00000000746FB000-memory.dmp

    Filesize

    5.7MB

  • memory/3012-9-0x0000000000400000-0x0000000000522000-memory.dmp

    Filesize

    1.1MB

  • memory/3012-54-0x00000000009E0000-0x0000000000A20000-memory.dmp

    Filesize

    256KB

  • memory/3012-55-0x0000000074150000-0x00000000746FB000-memory.dmp

    Filesize

    5.7MB

  • memory/3012-4-0x0000000000400000-0x0000000000522000-memory.dmp

    Filesize

    1.1MB

  • memory/3012-2-0x0000000000400000-0x0000000000522000-memory.dmp

    Filesize

    1.1MB

  • memory/3012-63-0x00000000009E0000-0x0000000000A20000-memory.dmp

    Filesize

    256KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.