Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/01/2024, 06:02

General

  • Target

    timeSync.exe

  • Size

    237KB

  • MD5

    ae0792e1f93f7682ce03c8f4f9e2906b

  • SHA1

    7056ade37113830af70ae02fe06184374c06dc90

  • SHA256

    bd0619e369e9f557fa70e19f5447a08a625cec708e14459d53fdb338ecf30305

  • SHA512

    95d09e2679f5bd9c53b5e36e17c013565f9245029d8dfbe4ea22810f6b444c45b5c7e77069d29e3c7e7a1c5d7a098bad1977dbcf6c310c8407278873db1710f6

  • SSDEEP

    3072:fJOKSG+jJx3AdF7mSJief2m1KpEtbUT1nGBvUEtrSWe/qcRbP1XRQ9mtxxgwT:fJOKS/EF7kpGegrmfgIt4

Malware Config

Extracted

Family

stealc

C2

http://5.42.64.41

Attributes
  • url_path

    /40d570f44e84a454.php

rc4.plain

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\timeSync.exe
    "C:\Users\Admin\AppData\Local\Temp\timeSync.exe"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\timeSync.exe" & del "C:\ProgramData\*.dll"" & exit
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 5
        3⤵
        • Delays execution with timeout.exe
        PID:2156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \ProgramData\mozglue.dll

    Filesize

    36KB

    MD5

    0f94a9545012dde854113fa1afad0b90

    SHA1

    9784fadce4ffaf877b20a6ed805e02e9d32409ff

    SHA256

    64ebb5d77fca88dc9c65327c65c0cc207ce7b82a4397a01370da934312720284

    SHA512

    0359e21e81b8f86d0f4fcefc177dd338df37f23a9f62ec3a91843c5f7c7ff6a587b4b0c4ddbb429b0d7096f7ee2f8c19996606105400bf28984e9fd257aa6136

  • \ProgramData\nss3.dll

    Filesize

    78KB

    MD5

    9e59913b3cdcfb6ae555e76b0cba4b35

    SHA1

    d9cf67470109f2923490e55fde59ba2b9cf5253f

    SHA256

    ce8afb6e8447d58da9ff41bde8c13b987fb500cd47d35d838c8c505efc2da6e3

    SHA512

    213867184ae83fad4609f54bd26fd5f9645995e545c059ebe5be279f76671729458ccd95ffabc73fe3d58dcd741f3a3507eba2c4c53d8a80a702a9240cd60d4f

  • memory/2396-1-0x0000000000230000-0x0000000000330000-memory.dmp

    Filesize

    1024KB

  • memory/2396-2-0x00000000003A0000-0x00000000003BC000-memory.dmp

    Filesize

    112KB

  • memory/2396-3-0x0000000000400000-0x000000000062E000-memory.dmp

    Filesize

    2.2MB

  • memory/2396-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp

    Filesize

    972KB

  • memory/2396-42-0x0000000000400000-0x000000000062E000-memory.dmp

    Filesize

    2.2MB

  • memory/2396-68-0x0000000000400000-0x000000000062E000-memory.dmp

    Filesize

    2.2MB

  • memory/2396-69-0x0000000000230000-0x0000000000330000-memory.dmp

    Filesize

    1024KB

  • memory/2396-72-0x0000000000400000-0x000000000062E000-memory.dmp

    Filesize

    2.2MB

  • memory/2396-74-0x0000000000230000-0x0000000000330000-memory.dmp

    Filesize

    1024KB

  • memory/2396-73-0x0000000000400000-0x000000000062E000-memory.dmp

    Filesize

    2.2MB