Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
206s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
09/01/2024, 13:16
Behavioral task
behavioral1
Sample
4e66b442315b528793daf29f272beb6e.exe
Resource
win7-20231215-en
General
-
Target
4e66b442315b528793daf29f272beb6e.exe
-
Size
13.2MB
-
MD5
4e66b442315b528793daf29f272beb6e
-
SHA1
5085c7f9d376063e9544fc9fe6c94a3567fae67d
-
SHA256
f920013efc8d6839e9ff3a2ce43010e1fb46a941a95f99b8c39335d1fbb1bc29
-
SHA512
5165565ebc68a408842cf6ea6bf14d60172d2f4fc2c684d16235db2368ae12f53277580fc2103eda1fc102bc68e8742882ab78e74b31ee686bd3c3c5941d89e1
-
SSDEEP
393216:CWeWk6XZcIgBBQFOnQ+NZrqCkbEp+DNjyymL8AV:Cz6J7gP8OnQctRQg+hyyW
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/864993390039138344/KcIraJ14D-c_gxt8b62QhfVu_PGaoIgxX5A9WLR2Iw9WLUoF8VGIsnRR969mXFvP0Unf
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Users\\Admin\\AppData\\Local\\Pic1fPBkmq\\LOHejsSdpL.exe\" -s" 4e66b442315b528793daf29f272beb6e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 4e66b442315b528793daf29f272beb6e.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5VajCapCB1.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5VajCapCB1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5VajCapCB1.exe -
Executes dropped EXE 2 IoCs
pid Process 1552 M7FQLfl2Do.exe 2864 5VajCapCB1.exe -
Loads dropped DLL 3 IoCs
pid Process 3028 4e66b442315b528793daf29f272beb6e.exe 3028 4e66b442315b528793daf29f272beb6e.exe 2892 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000c000000013a04-15.dat themida behavioral1/files/0x000c000000013a04-11.dat themida behavioral1/files/0x000c000000013a04-16.dat themida behavioral1/files/0x000c000000013a04-18.dat themida behavioral1/memory/2864-22-0x000000013F800000-0x0000000140CA5000-memory.dmp themida behavioral1/memory/2864-23-0x000000013F800000-0x0000000140CA5000-memory.dmp themida behavioral1/memory/2864-24-0x000000013F800000-0x0000000140CA5000-memory.dmp themida behavioral1/memory/2864-25-0x000000013F800000-0x0000000140CA5000-memory.dmp themida behavioral1/memory/2864-46-0x000000013F800000-0x0000000140CA5000-memory.dmp themida -
resource yara_rule behavioral1/memory/3028-0-0x0000000000400000-0x000000000142A000-memory.dmp upx behavioral1/memory/3028-1-0x0000000000400000-0x000000000142A000-memory.dmp upx behavioral1/memory/3028-27-0x0000000000400000-0x000000000142A000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5VajCapCB1.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 freegeoip.app 3 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
pid Process 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 M7FQLfl2Do.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier M7FQLfl2Do.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1552 M7FQLfl2Do.exe 1552 M7FQLfl2Do.exe 1552 M7FQLfl2Do.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 2864 5VajCapCB1.exe 1552 M7FQLfl2Do.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1552 M7FQLfl2Do.exe Token: SeDebugPrivilege 2864 5VajCapCB1.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3028 wrote to memory of 1552 3028 4e66b442315b528793daf29f272beb6e.exe 29 PID 3028 wrote to memory of 1552 3028 4e66b442315b528793daf29f272beb6e.exe 29 PID 3028 wrote to memory of 1552 3028 4e66b442315b528793daf29f272beb6e.exe 29 PID 3028 wrote to memory of 1552 3028 4e66b442315b528793daf29f272beb6e.exe 29 PID 3028 wrote to memory of 2864 3028 4e66b442315b528793daf29f272beb6e.exe 31 PID 3028 wrote to memory of 2864 3028 4e66b442315b528793daf29f272beb6e.exe 31 PID 3028 wrote to memory of 2864 3028 4e66b442315b528793daf29f272beb6e.exe 31 PID 3028 wrote to memory of 2864 3028 4e66b442315b528793daf29f272beb6e.exe 31 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 4e66b442315b528793daf29f272beb6e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e66b442315b528793daf29f272beb6e.exe"C:\Users\Admin\AppData\Local\Temp\4e66b442315b528793daf29f272beb6e.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\M7FQLfl2Do.exe"C:\Users\Admin\AppData\Local\Temp\M7FQLfl2Do.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Users\Admin\AppData\Local\Temp\5VajCapCB1.exe"C:\Users\Admin\AppData\Local\Temp\5VajCapCB1.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180B
MD5f01746c1c77bc7aad18f59947f0b60aa
SHA1821442c2b2b91acf59146d634a9be424e7ff1865
SHA25633670f0a46d212e4b06e45375e375c24dd6d061a1bbe142869bbdd7f60e6ec91
SHA512d9574af87d972a59bde5d138856de2a91a7c81f134359ec00555d2e25aa4bec85d3505c7f8f49deeeea055e2c416ee093cef317f7cf4246a728a6be9bc4edd2d
-
Filesize
261B
MD574e3a6dde3f73c7b38b45767ae48a2f9
SHA1efc7612e0f723fbb559e0fce5034e9dcda19988d
SHA256c339adfbc701ee1925d8fbee48eca617e920f96406b29c664a16a0ba6a61b2a8
SHA512991f3ac76d18854c640e5875656d323d4b4814fb453b2d9e9d5113ef1a6a1d1b86ec8fa97bb3a67102608a876e0bd8671f98a286237532c685dc1c4e0fc20404
-
Filesize
431B
MD5c0ade90bc771beacc9d6350aec93f38c
SHA18c7847776741e5f46828f9662fd8db8bc71f196e
SHA2561c5d9bf0689187c406a47c7d059c7c09f8b16c967e8a73cc778088445e3e5de2
SHA51296c5862aacdc0c3a488acf4e292e04d8a24b9bdc2dc51813d5c774b5723c23b2bbfa5d45bf74fb124770dc1881002cd680aefc04638d55862713910f085c691b
-
Filesize
345KB
MD552fe5630b9ab6873cd99b7446368a42b
SHA1b9087a442de265a653c3af2754ccae566ec616ee
SHA256b2c004893d77c94de7cd6a70c408abb8d7091d4a1b84918a5f4ecaaaca5e8823
SHA512b3d7e1e1e0818c1155b2f3e58b86884f5ea5d755cfcfede249e3ed75147cb3477a5e84206ac107adda413270360e90cca6b7c12564a9955a9d906fad010eb279
-
Filesize
360KB
MD56b2fc0fcc1cffc0efe1c25c0c8249970
SHA110dcf68093998bf8075d90ff3dac20f908ee0405
SHA256d47ade7a118a4d7b5c289516ecc564302f89b08025d7e3a5d682c64048683585
SHA51295179dbeb17dd0cbd353e97c1db4f92e5cc45aab4a73d203871d074dc630ff1a7f11f2cfb76c2a07a0ae2939be7b12fd97bbc8050a4d5132db2a146a133adc68
-
Filesize
274KB
MD578fe81b560fe19e1a42a017a667f3f06
SHA14a75705ce154ef06374f1c48e7dcc321b8342d5a
SHA256122b27bae3026a926b31aee5722909c010291a4635a3bb725caa1c71006ea327
SHA512f19b09c6883a6df1f15dddaf8ac06d9709fc038ae1c8ca9f69d994c3370c35069e304690275ee1f3aebb44e8e682071ee56c06c01597c9afd925ada66499d050
-
Filesize
320KB
MD569f4a88656dd35c08b46c19633497f12
SHA162fc5a5c42086065ead7f63990f48503cd67db2e
SHA256690e7be9290271c3e4f36a902f52081dcaf6e1f1204b1df0e93c276ab2c18ddd
SHA512b705d01e43e113a564f30e986f02ad7d694d639e370b4fc40f606ded369613b9f7763f443288f09071b05e66ad4f6e9d38b640bd018f34981d88934979377d46
-
Filesize
578KB
MD5800cac2875a4da6d82f6e1da021d072c
SHA1d789ec6b72aa314834deee784ceb0ccf9e59f537
SHA2562616178c937d1ee8766e8c31513f976da5311fa063875a888867198bfa80a9c2
SHA512052b86bd00082a2cbb4c97c0f71e43d764588504370e0b92e367fe4953df4c4f19e89163dbc3f2b37423a5a9390fe9a8b193468deaaef7ca1e373d65e7596aeb