Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 13:36
Static task
static1
Behavioral task
behavioral1
Sample
1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe
Resource
win10v2004-20231215-en
General
-
Target
1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe
-
Size
560KB
-
MD5
0c84a5727488a29d79506aad7b9e8fca
-
SHA1
71bb901c18f2c9cf8514e9bfb9c9462398ad30c6
-
SHA256
1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681
-
SHA512
82fecbd6eaa17ce089bdd851272ff254114b28e37c46cb565f05d5868fa956221a558c68482cc2fccd43dfdf4c2b2244e6801009b36f086b1e1718f78b9c5888
-
SSDEEP
12288:1bQNl/WqCYWjgAXty1e6AhQn/rXuoW+sr6RfO12K8Q0:1bmbWjgktYnzvdKcI2K8Q0
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.stpgig.com - Port:
587 - Username:
[email protected] - Password:
Stpgig#Login21
https://scratchdreams.tk
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
resource yara_rule behavioral1/memory/2432-22-0x0000000140000000-0x0000000140024000-memory.dmp family_snakekeylogger behavioral1/memory/2432-29-0x0000000140000000-0x0000000140024000-memory.dmp family_snakekeylogger -
Deletes itself 1 IoCs
pid Process 2384 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1968 set thread context of 2432 1968 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2528 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2672 powershell.exe 2432 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 2432 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2672 1968 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe 28 PID 1968 wrote to memory of 2672 1968 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe 28 PID 1968 wrote to memory of 2672 1968 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe 28 PID 1968 wrote to memory of 2528 1968 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe 30 PID 1968 wrote to memory of 2528 1968 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe 30 PID 1968 wrote to memory of 2528 1968 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe 30 PID 1968 wrote to memory of 2432 1968 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe 32 PID 1968 wrote to memory of 2432 1968 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe 32 PID 1968 wrote to memory of 2432 1968 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe 32 PID 1968 wrote to memory of 2432 1968 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe 32 PID 1968 wrote to memory of 2432 1968 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe 32 PID 1968 wrote to memory of 2432 1968 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe 32 PID 1968 wrote to memory of 2432 1968 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe 32 PID 2432 wrote to memory of 2384 2432 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe 33 PID 2432 wrote to memory of 2384 2432 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe 33 PID 2432 wrote to memory of 2384 2432 1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe 33 PID 2384 wrote to memory of 576 2384 cmd.exe 35 PID 2384 wrote to memory of 576 2384 cmd.exe 35 PID 2384 wrote to memory of 576 2384 cmd.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe"C:\Users\Admin\AppData\Local\Temp\1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ffVsTPS.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffVsTPS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB941.tmp"2⤵
- Creates scheduled task(s)
PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exeC:\Users\Admin\AppData\Local\Temp\1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1e2754b3cdcf417cf8a396df60f61b3f75f10cc61d27807991882c5149e9c681.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵PID:576
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51e2b770dc6d6f8ed2bf826e1bae1b3ba
SHA1cdf2ea5e6441d61d92441629fcbb80ede7775f48
SHA2568c770c4e6699f356cf574af2722a44f5d8ecd44c1b461add59f6114442b3afd4
SHA5124f321e863979d83f0a17adf5498b04d87e9c215b428004e838c7ff3ef006df35f576e5ea87ec01f9b45a71ee492dbad81fe77110f988c4b71f59e74250c01fa5