Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
05/01/2024, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
MW3 Aibot Gui(Run after MW3 Aimbot).exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
MW3 Aibot Gui(Run after MW3 Aimbot).exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
MW3 Aimbot.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
MW3 Aimbot.exe
Resource
win10v2004-20231215-en
General
-
Target
MW3 Aimbot.exe
-
Size
48KB
-
MD5
aa288aea58f791b8be539e90491d72a5
-
SHA1
123e8b8b3cda53afc5f9c90ec394127f0364a626
-
SHA256
872cd4a24881b39989ec3747948f27e2094d2bc015c62ac0f90f6ebc29f0e1fd
-
SHA512
f099bf4c6c15c8c2ca652a2425cbb4c69da95339796d34700445008bae5dac93767567eaa77ef28a0d78336770bba244f49a76318bdac7bb768e08e5f06e32b0
-
SSDEEP
768:fDmdi89DcrWXmWupeHTO+E5AImSUq7WXo+OLOoXajdMp1c:yXcrdSTS5jwo+OLOoXajy1c
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
ligotti19
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysAudio.exe" MW3 Aimbot.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysAudio.exe" WinUpdater.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2248 WinUpdater.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2116 MW3 Aimbot.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2116 MW3 Aimbot.exe Token: 33 2116 MW3 Aimbot.exe Token: SeIncBasePriorityPrivilege 2116 MW3 Aimbot.exe Token: SeDebugPrivilege 2248 WinUpdater.exe Token: 33 2248 WinUpdater.exe Token: SeIncBasePriorityPrivilege 2248 WinUpdater.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2116 MW3 Aimbot.exe 2248 WinUpdater.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2248 2116 MW3 Aimbot.exe 28 PID 2116 wrote to memory of 2248 2116 MW3 Aimbot.exe 28 PID 2116 wrote to memory of 2248 2116 MW3 Aimbot.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\MW3 Aimbot.exe"C:\Users\Admin\AppData\Local\Temp\MW3 Aimbot.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2248
-