Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    206s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    09/01/2024, 13:16

General

  • Target

    4e66b442315b528793daf29f272beb6e.exe

  • Size

    13.2MB

  • MD5

    4e66b442315b528793daf29f272beb6e

  • SHA1

    5085c7f9d376063e9544fc9fe6c94a3567fae67d

  • SHA256

    f920013efc8d6839e9ff3a2ce43010e1fb46a941a95f99b8c39335d1fbb1bc29

  • SHA512

    5165565ebc68a408842cf6ea6bf14d60172d2f4fc2c684d16235db2368ae12f53277580fc2103eda1fc102bc68e8742882ab78e74b31ee686bd3c3c5941d89e1

  • SSDEEP

    393216:CWeWk6XZcIgBBQFOnQ+NZrqCkbEp+DNjyymL8AV:Cz6J7gP8OnQctRQg+hyyW

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/864993390039138344/KcIraJ14D-c_gxt8b62QhfVu_PGaoIgxX5A9WLR2Iw9WLUoF8VGIsnRR969mXFvP0Unf

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 9 IoCs

    Detects Themida, an advanced Windows software protection system.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e66b442315b528793daf29f272beb6e.exe
    "C:\Users\Admin\AppData\Local\Temp\4e66b442315b528793daf29f272beb6e.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3028
    • C:\Users\Admin\AppData\Local\Temp\M7FQLfl2Do.exe
      "C:\Users\Admin\AppData\Local\Temp\M7FQLfl2Do.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1552
    • C:\Users\Admin\AppData\Local\Temp\5VajCapCB1.exe
      "C:\Users\Admin\AppData\Local\Temp\5VajCapCB1.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Process.txt

    Filesize

    180B

    MD5

    f01746c1c77bc7aad18f59947f0b60aa

    SHA1

    821442c2b2b91acf59146d634a9be424e7ff1865

    SHA256

    33670f0a46d212e4b06e45375e375c24dd6d061a1bbe142869bbdd7f60e6ec91

    SHA512

    d9574af87d972a59bde5d138856de2a91a7c81f134359ec00555d2e25aa4bec85d3505c7f8f49deeeea055e2c416ee093cef317f7cf4246a728a6be9bc4edd2d

  • C:\ProgramData\44\Process.txt

    Filesize

    261B

    MD5

    74e3a6dde3f73c7b38b45767ae48a2f9

    SHA1

    efc7612e0f723fbb559e0fce5034e9dcda19988d

    SHA256

    c339adfbc701ee1925d8fbee48eca617e920f96406b29c664a16a0ba6a61b2a8

    SHA512

    991f3ac76d18854c640e5875656d323d4b4814fb453b2d9e9d5113ef1a6a1d1b86ec8fa97bb3a67102608a876e0bd8671f98a286237532c685dc1c4e0fc20404

  • C:\ProgramData\44\Process.txt

    Filesize

    431B

    MD5

    c0ade90bc771beacc9d6350aec93f38c

    SHA1

    8c7847776741e5f46828f9662fd8db8bc71f196e

    SHA256

    1c5d9bf0689187c406a47c7d059c7c09f8b16c967e8a73cc778088445e3e5de2

    SHA512

    96c5862aacdc0c3a488acf4e292e04d8a24b9bdc2dc51813d5c774b5723c23b2bbfa5d45bf74fb124770dc1881002cd680aefc04638d55862713910f085c691b

  • C:\Users\Admin\AppData\Local\Temp\5VajCapCB1.exe

    Filesize

    345KB

    MD5

    52fe5630b9ab6873cd99b7446368a42b

    SHA1

    b9087a442de265a653c3af2754ccae566ec616ee

    SHA256

    b2c004893d77c94de7cd6a70c408abb8d7091d4a1b84918a5f4ecaaaca5e8823

    SHA512

    b3d7e1e1e0818c1155b2f3e58b86884f5ea5d755cfcfede249e3ed75147cb3477a5e84206ac107adda413270360e90cca6b7c12564a9955a9d906fad010eb279

  • C:\Users\Admin\AppData\Local\Temp\5VajCapCB1.exe

    Filesize

    360KB

    MD5

    6b2fc0fcc1cffc0efe1c25c0c8249970

    SHA1

    10dcf68093998bf8075d90ff3dac20f908ee0405

    SHA256

    d47ade7a118a4d7b5c289516ecc564302f89b08025d7e3a5d682c64048683585

    SHA512

    95179dbeb17dd0cbd353e97c1db4f92e5cc45aab4a73d203871d074dc630ff1a7f11f2cfb76c2a07a0ae2939be7b12fd97bbc8050a4d5132db2a146a133adc68

  • C:\Users\Admin\AppData\Local\Temp\M7FQLfl2Do.exe

    Filesize

    274KB

    MD5

    78fe81b560fe19e1a42a017a667f3f06

    SHA1

    4a75705ce154ef06374f1c48e7dcc321b8342d5a

    SHA256

    122b27bae3026a926b31aee5722909c010291a4635a3bb725caa1c71006ea327

    SHA512

    f19b09c6883a6df1f15dddaf8ac06d9709fc038ae1c8ca9f69d994c3370c35069e304690275ee1f3aebb44e8e682071ee56c06c01597c9afd925ada66499d050

  • \Users\Admin\AppData\Local\Temp\5VajCapCB1.exe

    Filesize

    320KB

    MD5

    69f4a88656dd35c08b46c19633497f12

    SHA1

    62fc5a5c42086065ead7f63990f48503cd67db2e

    SHA256

    690e7be9290271c3e4f36a902f52081dcaf6e1f1204b1df0e93c276ab2c18ddd

    SHA512

    b705d01e43e113a564f30e986f02ad7d694d639e370b4fc40f606ded369613b9f7763f443288f09071b05e66ad4f6e9d38b640bd018f34981d88934979377d46

  • \Users\Admin\AppData\Local\Temp\5VajCapCB1.exe

    Filesize

    578KB

    MD5

    800cac2875a4da6d82f6e1da021d072c

    SHA1

    d789ec6b72aa314834deee784ceb0ccf9e59f537

    SHA256

    2616178c937d1ee8766e8c31513f976da5311fa063875a888867198bfa80a9c2

    SHA512

    052b86bd00082a2cbb4c97c0f71e43d764588504370e0b92e367fe4953df4c4f19e89163dbc3f2b37423a5a9390fe9a8b193468deaaef7ca1e373d65e7596aeb

  • memory/1552-17-0x0000000001390000-0x00000000013DA000-memory.dmp

    Filesize

    296KB

  • memory/1552-19-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

    Filesize

    9.9MB

  • memory/1552-53-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

    Filesize

    9.9MB

  • memory/1552-21-0x000000001ADA0000-0x000000001AE20000-memory.dmp

    Filesize

    512KB

  • memory/1552-88-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

    Filesize

    9.9MB

  • memory/1552-55-0x000000001ADA0000-0x000000001AE20000-memory.dmp

    Filesize

    512KB

  • memory/2864-24-0x000000013F800000-0x0000000140CA5000-memory.dmp

    Filesize

    20.6MB

  • memory/2864-48-0x00000000776B0000-0x00000000777CF000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-26-0x000007FEBD720000-0x000007FEBD730000-memory.dmp

    Filesize

    64KB

  • memory/2864-28-0x00000000376B0000-0x00000000376C0000-memory.dmp

    Filesize

    64KB

  • memory/2864-20-0x00000000778D0000-0x0000000077A79000-memory.dmp

    Filesize

    1.7MB

  • memory/2864-35-0x00000000776B0000-0x00000000777CF000-memory.dmp

    Filesize

    1.1MB

  • memory/2864-36-0x00000000778D0000-0x0000000077A79000-memory.dmp

    Filesize

    1.7MB

  • memory/2864-46-0x000000013F800000-0x0000000140CA5000-memory.dmp

    Filesize

    20.6MB

  • memory/2864-47-0x00000000778D0000-0x0000000077A79000-memory.dmp

    Filesize

    1.7MB

  • memory/2864-25-0x000000013F800000-0x0000000140CA5000-memory.dmp

    Filesize

    20.6MB

  • memory/2864-22-0x000000013F800000-0x0000000140CA5000-memory.dmp

    Filesize

    20.6MB

  • memory/2864-23-0x000000013F800000-0x0000000140CA5000-memory.dmp

    Filesize

    20.6MB

  • memory/3028-0-0x0000000000400000-0x000000000142A000-memory.dmp

    Filesize

    16.2MB

  • memory/3028-52-0x00000000003F0000-0x0000000000400000-memory.dmp

    Filesize

    64KB

  • memory/3028-27-0x0000000000400000-0x000000000142A000-memory.dmp

    Filesize

    16.2MB

  • memory/3028-8-0x00000000003F0000-0x0000000000400000-memory.dmp

    Filesize

    64KB

  • memory/3028-1-0x0000000000400000-0x000000000142A000-memory.dmp

    Filesize

    16.2MB