Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

19/04/2024, 16:54

240419-vemfmaaf9v 7

18/04/2024, 15:27

240418-svthrsgg54 10

18/04/2024, 14:53

240418-r9dv7ahc5w 10

General

  • Target

    advbattoexeconverter.exe

  • Size

    804KB

  • Sample

    240418-r9dv7ahc5w

  • MD5

    83bb1b476c7143552853a2cf983c1142

  • SHA1

    8ff8ed5c533d70a7d933ec45264dd700145acd8c

  • SHA256

    af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb

  • SHA512

    6916c6c5addf43f56b9de217e1b640ab6f4d7e5a73cd33a7189f66c9b7f0b954c5aa635f92fcef5692ca0ca0c8767e97a678e90d545079b5e6d421555f5b761a

  • SSDEEP

    24576:0xFkFHdJ8aT/iziXH6FGnYhqQuimKC6Qpor:0IdJ1KiBYhsl+r

Malware Config

Extracted

Family

socks5systemz

C2

http://aqoocxy.ru/search/?q=67e28dd86958a12b1508fa167c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978f371ea771795af8e05c443db22f31dfe339426fa12a466c553adb719a9577e55b8603e983a608ffc15c5ec959e3c

http://aqoocxy.ru/search/?q=67e28dd86958a12b1508fa167c27d78406abdd88be4b12eab517aa5c96bd86e8938548895a8bbc896c58e713bc90c91836b5281fc235a925ed3e50d6bd974a95129070b410e96cc92be510b866db51b9e34eed4c2b14a82966836f23d7f210c7ee969e3ece6f9211

Targets

    • Target

      advbattoexeconverter.exe

    • Size

      804KB

    • MD5

      83bb1b476c7143552853a2cf983c1142

    • SHA1

      8ff8ed5c533d70a7d933ec45264dd700145acd8c

    • SHA256

      af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb

    • SHA512

      6916c6c5addf43f56b9de217e1b640ab6f4d7e5a73cd33a7189f66c9b7f0b954c5aa635f92fcef5692ca0ca0c8767e97a678e90d545079b5e6d421555f5b761a

    • SSDEEP

      24576:0xFkFHdJ8aT/iziXH6FGnYhqQuimKC6Qpor:0IdJ1KiBYhsl+r

    • Modifies WinLogon for persistence

    • Socks5Systemz

      Socks5Systemz is a botnet written in C++.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks