Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
24/04/2024, 09:16
Behavioral task
behavioral1
Sample
b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe
Resource
win11-20240412-en
General
-
Target
b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe
-
Size
49KB
-
MD5
f8c0512008daff966ef349e7178d1239
-
SHA1
2a74048cf5009ab0f850e3992ffe7a453e3e18a5
-
SHA256
b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6
-
SHA512
f8c208da88e213f96531b09ea4cdffd82368373aeb9868f11e35135052cf80ffceb89c64da83969aa2df3505579fefc673a0e6346b3b6c361a7d29089f56a3fa
-
SSDEEP
768:FpJRqkmuoYiL7pr4y9iIn0N+LJwdFNt9cHpa6vOAh2HVXj+T3I:FpJRqVRNr42uNBFf9ipa6vOAwVST3I
Malware Config
Extracted
xworm
5.0
127.0.0.1:7000
91.92.252.220:7000
MeDwR8PJidtfrQQa
-
Install_directory
%AppData%
-
install_file
explorer.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
limerat
bc1q7p5qe345uqww9e4ut3nt08tu2lsgnvfsc40azt
-
aes_key
KILLER
-
antivm
false
-
c2_url
https://pastebin.com/raw/4EtQAvTV
-
delay
3
-
download_payload
false
-
install
true
-
install_name
browser.exe
-
main_folder
AppData
-
pin_spread
true
-
sub_folder
\
-
usb_spread
true
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/memory/2124-0-0x0000000000FF0000-0x0000000001002000-memory.dmp family_xworm behavioral1/files/0x00080000000233ce-70.dat family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/2124-77-0x000000001EAB0000-0x000000001EBCE000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation browser.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk browser.exe -
Executes dropped EXE 3 IoCs
pid Process 1688 explorer.exe 3328 browser.exe 4912 explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" browser.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 36 ip-api.com 116 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4332 schtasks.exe 1956 schtasks.exe 232 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe 3328 browser.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4756 powershell.exe 4756 powershell.exe 4756 powershell.exe 4912 powershell.exe 4912 powershell.exe 4912 powershell.exe 2188 powershell.exe 2188 powershell.exe 2188 powershell.exe 2192 powershell.exe 2192 powershell.exe 2192 powershell.exe 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe 1920 powershell.exe 1920 powershell.exe 3584 powershell.exe 3584 powershell.exe 3936 powershell.exe 3936 powershell.exe 2604 powershell.exe 2604 powershell.exe 3328 browser.exe 3328 browser.exe 3328 browser.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe Token: SeDebugPrivilege 4756 powershell.exe Token: SeDebugPrivilege 4912 powershell.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe Token: SeDebugPrivilege 1688 explorer.exe Token: SeDebugPrivilege 3328 browser.exe Token: SeDebugPrivilege 1920 powershell.exe Token: SeDebugPrivilege 3584 powershell.exe Token: SeDebugPrivilege 3936 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 3328 browser.exe Token: SeDebugPrivilege 4912 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe 3328 browser.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2124 wrote to memory of 4756 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe 92 PID 2124 wrote to memory of 4756 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe 92 PID 2124 wrote to memory of 4912 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe 94 PID 2124 wrote to memory of 4912 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe 94 PID 2124 wrote to memory of 2188 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe 96 PID 2124 wrote to memory of 2188 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe 96 PID 2124 wrote to memory of 2192 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe 98 PID 2124 wrote to memory of 2192 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe 98 PID 2124 wrote to memory of 1956 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe 101 PID 2124 wrote to memory of 1956 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe 101 PID 2124 wrote to memory of 232 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe 115 PID 2124 wrote to memory of 232 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe 115 PID 2124 wrote to memory of 3328 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe 117 PID 2124 wrote to memory of 3328 2124 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe 117 PID 3328 wrote to memory of 1920 3328 browser.exe 118 PID 3328 wrote to memory of 1920 3328 browser.exe 118 PID 3328 wrote to memory of 3584 3328 browser.exe 120 PID 3328 wrote to memory of 3584 3328 browser.exe 120 PID 3328 wrote to memory of 3936 3328 browser.exe 122 PID 3328 wrote to memory of 3936 3328 browser.exe 122 PID 3328 wrote to memory of 2604 3328 browser.exe 124 PID 3328 wrote to memory of 2604 3328 browser.exe 124 PID 3328 wrote to memory of 4332 3328 browser.exe 126 PID 3328 wrote to memory of 4332 3328 browser.exe 126 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe"C:\Users\Admin\AppData\Local\Temp\b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"2⤵
- Creates scheduled task(s)
PID:1956
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\browser.exe'"2⤵
- Creates scheduled task(s)
PID:232
-
-
C:\Users\Admin\AppData\Roaming\browser.exe"C:\Users\Admin\AppData\Roaming\browser.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\browser.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'browser.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"3⤵
- Creates scheduled task(s)
PID:4332
-
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d8cb3e9459807e35f02130fad3f9860d
SHA15af7f32cb8a30e850892b15e9164030a041f4bd6
SHA2562b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184
-
Filesize
944B
MD59c740b7699e2363ac4ecdf496520ca35
SHA1aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9
SHA256be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61
SHA5128885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af
-
Filesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
Filesize
944B
MD5c0b8748e607cdd30070e3d99f4d099fb
SHA188dce7272b1d4f036873da0dae0e6876bcb88aaf
SHA256133460e080441a71ec35d7366bdecf5c6d78d9a8b987b56c46e8545c406c69f7
SHA512a5ae9fd049b923567ee9b94be587ba495d9e7c0d9bbdbb3c0551788cae3475974d85018724308d81c0e1fd37b7ec719cd018db94e2d4bba3f3be164888dc09cc
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD55c8ea9d884103d067a1ba2e422a2b1ed
SHA13ddf0f71f84e1b595b6f8862c649445a6d188ed6
SHA256d77147b11db5fdb60f2a0a1157944a3a59d713ff9996be33bd05d1e92fb2c28b
SHA5128366f4756c2390a631d7083b03b40a335cd05ae5c302fe3512919200ac4980e8c6b94e2e9ce634ab75f6bfa06a851a23b29e43afef3ad58b1b70d3d6bc569aca
-
Filesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
778B
MD55b9a1c868d9d534bead3df34355a5ff9
SHA14b74472051384e81a087a468da31ecb0294d0acd
SHA256ece200570b2e16526791ceb1a07d5e6c589b3195389e8cfb68ef57b3dc63ab90
SHA512c14aaccc0424725b72a65d69b65c84e8cfbe81bd3fae7e03b63d3221fdb7c767bec9cf5ca76be336da5699a1f414452c49409923194da9c2e9d767f484777cd4
-
Filesize
49KB
MD5f8c0512008daff966ef349e7178d1239
SHA12a74048cf5009ab0f850e3992ffe7a453e3e18a5
SHA256b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6
SHA512f8c208da88e213f96531b09ea4cdffd82368373aeb9868f11e35135052cf80ffceb89c64da83969aa2df3505579fefc673a0e6346b3b6c361a7d29089f56a3fa