Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
10/04/2024, 02:41
240410-c6hmmsfd7z 1010/04/2024, 02:41
240410-c6g14scb46 1010/04/2024, 02:41
240410-c6gqcacb45 1010/04/2024, 02:41
240410-c6f4tacb44 1014/10/2023, 01:33
231014-bysbfahh6s 10Analysis
-
max time kernel
300s -
max time network
305s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
10/04/2024, 02:41
Behavioral task
behavioral1
Sample
x19a4f9f3d16fcc9779ba8ea79bf7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
x19a4f9f3d16fcc9779ba8ea79bf7.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
x19a4f9f3d16fcc9779ba8ea79bf7.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
x19a4f9f3d16fcc9779ba8ea79bf7.exe
Resource
win11-20240221-en
General
-
Target
x19a4f9f3d16fcc9779ba8ea79bf7.exe
-
Size
392KB
-
MD5
2299a17350433284e58bd0fcc10edf41
-
SHA1
d477f1cd55365db00ca77cc5459afabe1ffc80b3
-
SHA256
c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
-
SHA512
123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1
-
SSDEEP
6144:5cJGLvLE5hu6Me646G0D1ecme1x9b31v4n:uUvLr6k9b5ecmed1v4
Malware Config
Extracted
gurcu
https://api.telegram.org/bot6193093056:AAHzyNGUGS9aUG6CCx6ENLoXpCFLzEQywIQ/sendMessage?chat_id=1098292643
Signatures
-
Executes dropped EXE 12 IoCs
pid Process 4160 x19a4f9f3d16fcc9779ba8ea79bf7.exe 4808 tor.exe 4980 x19a4f9f3d16fcc9779ba8ea79bf7.exe 5048 tor.exe 3364 x19a4f9f3d16fcc9779ba8ea79bf7.exe 432 tor.exe 4988 x19a4f9f3d16fcc9779ba8ea79bf7.exe 1832 tor.exe 424 x19a4f9f3d16fcc9779ba8ea79bf7.exe 2396 tor.exe 3756 x19a4f9f3d16fcc9779ba8ea79bf7.exe 432 tor.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 x19a4f9f3d16fcc9779ba8ea79bf7.exe Key opened \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 x19a4f9f3d16fcc9779ba8ea79bf7.exe Key opened \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 x19a4f9f3d16fcc9779ba8ea79bf7.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1020 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2284 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4160 x19a4f9f3d16fcc9779ba8ea79bf7.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1052 x19a4f9f3d16fcc9779ba8ea79bf7.exe Token: SeDebugPrivilege 4160 x19a4f9f3d16fcc9779ba8ea79bf7.exe Token: SeDebugPrivilege 4980 x19a4f9f3d16fcc9779ba8ea79bf7.exe Token: SeDebugPrivilege 3364 x19a4f9f3d16fcc9779ba8ea79bf7.exe Token: SeDebugPrivilege 4988 x19a4f9f3d16fcc9779ba8ea79bf7.exe Token: SeDebugPrivilege 424 x19a4f9f3d16fcc9779ba8ea79bf7.exe Token: SeDebugPrivilege 3756 x19a4f9f3d16fcc9779ba8ea79bf7.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1052 wrote to memory of 872 1052 x19a4f9f3d16fcc9779ba8ea79bf7.exe 81 PID 1052 wrote to memory of 872 1052 x19a4f9f3d16fcc9779ba8ea79bf7.exe 81 PID 872 wrote to memory of 4916 872 cmd.exe 83 PID 872 wrote to memory of 4916 872 cmd.exe 83 PID 872 wrote to memory of 2284 872 cmd.exe 84 PID 872 wrote to memory of 2284 872 cmd.exe 84 PID 872 wrote to memory of 1020 872 cmd.exe 85 PID 872 wrote to memory of 1020 872 cmd.exe 85 PID 872 wrote to memory of 4160 872 cmd.exe 86 PID 872 wrote to memory of 4160 872 cmd.exe 86 PID 4160 wrote to memory of 4704 4160 x19a4f9f3d16fcc9779ba8ea79bf7.exe 87 PID 4160 wrote to memory of 4704 4160 x19a4f9f3d16fcc9779ba8ea79bf7.exe 87 PID 4160 wrote to memory of 4808 4160 x19a4f9f3d16fcc9779ba8ea79bf7.exe 89 PID 4160 wrote to memory of 4808 4160 x19a4f9f3d16fcc9779ba8ea79bf7.exe 89 PID 4980 wrote to memory of 5048 4980 x19a4f9f3d16fcc9779ba8ea79bf7.exe 93 PID 4980 wrote to memory of 5048 4980 x19a4f9f3d16fcc9779ba8ea79bf7.exe 93 PID 3364 wrote to memory of 432 3364 x19a4f9f3d16fcc9779ba8ea79bf7.exe 99 PID 3364 wrote to memory of 432 3364 x19a4f9f3d16fcc9779ba8ea79bf7.exe 99 PID 4988 wrote to memory of 1832 4988 x19a4f9f3d16fcc9779ba8ea79bf7.exe 104 PID 4988 wrote to memory of 1832 4988 x19a4f9f3d16fcc9779ba8ea79bf7.exe 104 PID 424 wrote to memory of 2396 424 x19a4f9f3d16fcc9779ba8ea79bf7.exe 109 PID 424 wrote to memory of 2396 424 x19a4f9f3d16fcc9779ba8ea79bf7.exe 109 PID 3756 wrote to memory of 432 3756 x19a4f9f3d16fcc9779ba8ea79bf7.exe 114 PID 3756 wrote to memory of 432 3756 x19a4f9f3d16fcc9779ba8ea79bf7.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 x19a4f9f3d16fcc9779ba8ea79bf7.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 x19a4f9f3d16fcc9779ba8ea79bf7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:4916
-
-
C:\Windows\system32\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2284
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1020
-
-
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4160 -
C:\Windows\System32\tar.exe"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp81C3.tmp" -C "C:\Users\Admin\AppData\Local\xtioxntk7k"4⤵PID:4704
-
-
C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"4⤵
- Executes dropped EXE
PID:4808
-
-
-
-
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exeC:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"2⤵
- Executes dropped EXE
PID:5048
-
-
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exeC:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"2⤵
- Executes dropped EXE
PID:432
-
-
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exeC:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"2⤵
- Executes dropped EXE
PID:1832
-
-
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exeC:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"2⤵
- Executes dropped EXE
PID:2396
-
-
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exeC:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe"C:\Users\Admin\AppData\Local\xtioxntk7k\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\xtioxntk7k\torrc.txt"2⤵
- Executes dropped EXE
PID:432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
847B
MD5486ebddc86ea8b3e965d390d22283a23
SHA1eaffc047f067084867e8575c576a9ec60e094ba8
SHA25650a57273ecb794e53b0622eb841341e2643c11f53fa47356e6e754ab2268171d
SHA5120a50ba02250b38355a6f4fb94e40c61258a74031d9aea7cdf675f3e068f39ec0748ecf292aaf2f94b1963b9d66516ee79aa6c552617048e248774af0ff07189d
-
Filesize
392KB
MD52299a17350433284e58bd0fcc10edf41
SHA1d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1
-
Filesize
13.3MB
MD589d2d5811c1aff539bb355f15f3ddad0
SHA15bb3577c25b6d323d927200c48cd184a3e27c873
SHA256b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA51239e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289
-
Filesize
2.7MB
MD5a0db8a87f7b723266c8b04255da46b06
SHA14df00ea56d22d88f3d2e005ef66bad5b3ef92ebf
SHA25660b43cdce0f807f7891521f396f53def34a7d98986dbde0faa2a197189c587f3
SHA51241b8fc467d11af7ca6a42c7e94d1b8295ab3ae5d6d186b4f378e6e079440520e8324b695da1134beb2bc1697d2491edcc70c1b75ab6fc66b9c1cb2ecbcdb4a7d
-
Filesize
8.4MB
MD50952a8705afa7f027d1ffbd69e39abf7
SHA1ab61d8104c5d9c2c138163d8a58deef787ea2ef5
SHA256b8c75ca17a79f3c95bd9aa1c7dd637647c67b78fa5e4f2d651121f84f3dfc835
SHA512608f6707ae1e48ba1d707d3f874590c97a24309c33b1032d2f7bc74f6bfdeecc840467270988bfabe803984141c50f624b944937b060eb0f4a72d1ae1af78fb7
-
Filesize
64B
MD503dcf5f5cdf990737b8aebe998025dd1
SHA15cea26039b79bc95763ae7c3c4d6b49a250144fe
SHA256ade34f1def90b849b72827918510d551089bc351852cc44bbc2b99fb9943de75
SHA5123bdcda39efa810cdb4e4a7d314a973507bcb25c2d99a813aac6950ecfc9d7dc751b2720ee458874697d5ab394d8cc8b60fed5962b98a1926e1d2cc552e1c97d4
-
Filesize
4B
MD59a86d531e19ec6f5937ad1373bb118bd
SHA19491531157806078a1ce2da9ab6ff7e33761d86f
SHA256b8e5918871d490fedab8e3b8de116e80b2cdd5c5b3027d927853cea5b279d19d
SHA51275093d0afd2265b66dfda5c4dac853b7c703594411d67c83f8f420994005bf2078061fe7219fe7682ebb40951dbb488f8c9d627520e783dced24a6afd879f9cc
-
Filesize
7.4MB
MD588590909765350c0d70c6c34b1f31dd2
SHA1129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA25646fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192
-
Filesize
218B
MD551ffb85541f98f1bb444875dd66eacfc
SHA13faac1a020f8f35889529baca1bffd373c9a7b83
SHA256a9ec09359c190fc186eecff5ec3a8f796ac5e6d9d196c867c0fa4941de24a8e4
SHA512693c9910cf81f4265678f9aa9648d1b867947634613f726d37947cee1e9020fc452cf1cc7bbf2adc6224a91bc10f3e287b30875f3f98d1241ecabe325bb4e613