Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2024, 19:17
Static task
static1
Behavioral task
behavioral1
Sample
b976eb61942f5feb72dd43d6b16f0c8f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b976eb61942f5feb72dd43d6b16f0c8f.exe
Resource
win10v2004-20240226-en
General
-
Target
b976eb61942f5feb72dd43d6b16f0c8f.exe
-
Size
1.4MB
-
MD5
b976eb61942f5feb72dd43d6b16f0c8f
-
SHA1
ad11dd9fdca6c72328acb45569a2c97c24188043
-
SHA256
953f9761acd7d9a2b093225fe0b4131b85696ecd0d6fad1d504173a90829be0d
-
SHA512
5ce9d29e6956aed0b0b9f390a9df816c00ea0d5cce91af08b246b64a3ccb15c554cd7c98c2bef544282bfb0f9d547b9f1a7681d77fe62d13d943e491f06957f7
-
SSDEEP
24576:11SwsUHmbqGRGOxrYZd23bTDdRc7GFXy9AoXzhfD1mHN9LOVA:xsUGbqGRFyd2L/dRc7GBy9AM98HbyV
Malware Config
Extracted
cryptbot
knufnp41.top
morumd04.top
-
payload_url
http://sarfri06.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
resource yara_rule behavioral2/memory/4824-25-0x00000000047E0000-0x0000000004883000-memory.dmp family_cryptbot behavioral2/memory/4824-26-0x00000000047E0000-0x0000000004883000-memory.dmp family_cryptbot behavioral2/memory/4824-27-0x00000000047E0000-0x0000000004883000-memory.dmp family_cryptbot behavioral2/memory/4824-28-0x00000000047E0000-0x0000000004883000-memory.dmp family_cryptbot behavioral2/memory/4824-242-0x00000000047E0000-0x0000000004883000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
pid Process 3860 Poi.exe.com 4824 Poi.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b976eb61942f5feb72dd43d6b16f0c8f.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Poi.exe.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Poi.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1884 PING.EXE -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 3860 Poi.exe.com 3860 Poi.exe.com 3860 Poi.exe.com 4824 Poi.exe.com 4824 Poi.exe.com 4824 Poi.exe.com 4824 Poi.exe.com 4824 Poi.exe.com -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 3860 Poi.exe.com 3860 Poi.exe.com 3860 Poi.exe.com 4824 Poi.exe.com 4824 Poi.exe.com 4824 Poi.exe.com -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 624 wrote to memory of 4488 624 b976eb61942f5feb72dd43d6b16f0c8f.exe 88 PID 624 wrote to memory of 4488 624 b976eb61942f5feb72dd43d6b16f0c8f.exe 88 PID 624 wrote to memory of 4488 624 b976eb61942f5feb72dd43d6b16f0c8f.exe 88 PID 624 wrote to memory of 4764 624 b976eb61942f5feb72dd43d6b16f0c8f.exe 89 PID 624 wrote to memory of 4764 624 b976eb61942f5feb72dd43d6b16f0c8f.exe 89 PID 624 wrote to memory of 4764 624 b976eb61942f5feb72dd43d6b16f0c8f.exe 89 PID 4764 wrote to memory of 3280 4764 cmd.exe 91 PID 4764 wrote to memory of 3280 4764 cmd.exe 91 PID 4764 wrote to memory of 3280 4764 cmd.exe 91 PID 3280 wrote to memory of 2540 3280 cmd.exe 92 PID 3280 wrote to memory of 2540 3280 cmd.exe 92 PID 3280 wrote to memory of 2540 3280 cmd.exe 92 PID 3280 wrote to memory of 3860 3280 cmd.exe 93 PID 3280 wrote to memory of 3860 3280 cmd.exe 93 PID 3280 wrote to memory of 3860 3280 cmd.exe 93 PID 3280 wrote to memory of 1884 3280 cmd.exe 94 PID 3280 wrote to memory of 1884 3280 cmd.exe 94 PID 3280 wrote to memory of 1884 3280 cmd.exe 94 PID 3860 wrote to memory of 4824 3860 Poi.exe.com 96 PID 3860 wrote to memory of 4824 3860 Poi.exe.com 96 PID 3860 wrote to memory of 4824 3860 Poi.exe.com 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\b976eb61942f5feb72dd43d6b16f0c8f.exe"C:\Users\Admin\AppData\Local\Temp\b976eb61942f5feb72dd43d6b16f0c8f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵PID:4488
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Pensato.bmp2⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^AMdmEFpRWoHLUblFdkNexZewMRUenFUCcosLAvruKxxkTVxbxfyMsOKBKfMNLiasgtdMyntUiHaZEQiRbvHpA$" Pur.bmp4⤵PID:2540
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.comPoi.exe.com J4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com J5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4824
-
-
-
C:\Windows\SysWOW64\PING.EXEping SLVJLBBW -n 304⤵
- Runs ping.exe
PID:1884
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
756KB
MD56774e85a5036b42d114e8282731ef884
SHA17b8ad37291190fcd1e480e9147351fb0e3aae250
SHA256b14979b2f71b712761a39bc300835b354c0978549183bb3dedb80cf83b7c6e19
SHA512aa912ddc77076ac1e1692549954f2e274ab568e56781ffa6e95405e5737b9292a8009f75950a86c9dd897688ec200f10e01afa6e9986daf62652b2730ba0f730
-
Filesize
433B
MD5eb6e7349e610ab7d908e00d4bfc52310
SHA10f11563101bda294855630a89e8cb660af6a1fb1
SHA25688e27432de862cfaab0acff8e1b3566c6ba72a1ef79ce106d609ca7789bc8e29
SHA51219a5ba95f337ad2036b35001ccd2fad581795eddc9263f7500ac393c1eec7f72efb6835144fb08554fde25d6edc927bde31fa68113ca2a2c72f23a87408906fb
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5979c40fbb41662ab269cc7385e70872e
SHA131161970c8a46ce8cea56877b031f585be647783
SHA256f10282b85d47762caf80ca3c65e7ce75acef6e4bc3e908d7a06d40c764dfa6fd
SHA5120495c869e6bf136e577b71ad76bb5b42fb814dd1a7be398e8497ccdf9e9d76f77b7615deab8df08eb06d111a2c9ce4be6a6d5a740573a28e336be24930db108d
-
Filesize
634KB
MD50fa2eddeaa5114ccbcd6c99a1dc04573
SHA127c4658012ee24ee594cae74c04e390ae2d36f64
SHA2569c01c8ea750915da7e8dccd1f72fcce7a0788568cea75789f6dc628d25285144
SHA51259ba5d39796f092815c459bd406cac6b64cee8cb4d5363a1b5c74bb428a7e784c2b18727ac9cc65fb8c7ddd3b4a2f08e698f2d6935a50cb94a3764963a652418
-
Filesize
960KB
MD548a6b6389c5765b2aa7475bcd8c74d83
SHA125f10f1f37cfd29b3e53bb61aed386a8bd8c7786
SHA2565a32572f08f1edf52c296244396d3f689640ca0ff62cc93ec51bd64844db8133
SHA512c860e115745e16bed5dd81cd4eca516cafbe54bf533756810a6bba0e7265c33d2b552c81bee43e37baa4812326bb616660b919dbeb03f26c8d64b8384f73c9d0
-
Filesize
1KB
MD550cf031d080eef04570e9b27f0663a3c
SHA13efcdd2cfb0e911b9584709a65d67b813e0dc891
SHA256c829c47507f3ebb44e21fee4897bd53491a42577e4f8768eee0525d5d606e448
SHA5126837dcb2e76705dac7340583e7ba47c1b03168387f793ebba0c88f4edc02b47fdc861898e77bd02538fdf6d07dbd0cae6cad8901432c2d59403e28fd158bdba9
-
Filesize
4KB
MD5fa2d68c84bcaa07c1a77efd7746d1fdf
SHA1c02276f2aea66312625c8faeedd625136d1bf5b6
SHA2569d075292955fe33e1bfd2651cfaec62e0c200fcebb444d4bbffdd72899f0c96d
SHA512cea456aef83c96346ca1baabbfbd017c2035980e8875216759a0288ea188cc24daa6a47b283be101177a15fcc9c05f6743aa912c9eec70c42c9a74b673a911ea
-
Filesize
48KB
MD52f6ecf9575372eb38dbfa02ae9cfba78
SHA195ef49d06cca16f8adcff3931e86b07298a72854
SHA256c0de1494922e637f641d7334235655c3ed9cb704fc5fa3257d5aaaddb38d947b
SHA512dc9d45f65f9bfd7ab559a05fbc9a32c43bfc6bc9546390e28604069c6c866c0fdc56b3ed8a25be48d9705d99c64d686ea20511e06b6a1dfc29e8312001f0d9fb
-
Filesize
690B
MD59dfe3e8a18a0d75bd5dca660827eed53
SHA18db136ab70a9ec9c478bba9fade36f528f397659
SHA2563eddf6c12e8c563d9c24d74d3137868558618bfd247b4030a768eef5ce7fb670
SHA5124050a28560feee0d3fa3bddf7f01b032d7317b4b64bdabf57378066b8f63e18a90afed772bbaff0007beae3ff4f218a8daed810e0ad2dbfeee779a096574f8e5
-
Filesize
7KB
MD593ceffc75b06b2f7d58c1c5ece01f9a9
SHA1282d9ff1a36c4b5957b9f4f8f0a34d54fd406236
SHA256c8fcce320989a9df19ddea09f2986db6e5f6ca3e827cd8310030bd83d2d9d5e8
SHA512f8efaa48171665e6077d6b2c812606420dd331b11ec96538b9076bc50ba35949f2ffaa84226539dd5d3386d0d74621fd38828ee232653e58f73b790c7745b3b7
-
Filesize
1003KB
MD51d2926e71861124f15ef9efed7df68da
SHA121d75bdcd130e79e2207d2419f4693444746c370
SHA256ac84859460281caa6ff658d4b5e8bb17e81e700f5055ed7db686f8bd4132b776
SHA51248f179e4cb8043060def5e04989f904f2e370d32d4e64d889605d38ba56b88be4f90a813bf737204a6fe49e3a77a6fae2c17b4425aaa1e46800a6a6bd158976a