Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13/05/2024, 13:39
Static task
static1
Behavioral task
behavioral1
Sample
Stolprende.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Stolprende.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
General
-
Target
Stolprende.exe
-
Size
685KB
-
MD5
900a0eb54d29bc61da63381e7920e5e8
-
SHA1
8159aeac02faa944e109d86abd3b020fa51e4907
-
SHA256
b073ae4a0ecc5af2e1e13862e97aa242768fe6f3ce1a0eb5bce474be65a5a0a7
-
SHA512
606f1231e11fdfabf849edd81d3f6cf43552b3b602c25009d51dbbef624aa37703aa41c9b6cab61effa00e37d8d4eac759934aeb38e9bfc9feec2d47cea988c0
-
SSDEEP
12288:cDq0UuJqoEQg42Gu/UlGxncCX49maysm46FPwU0TvGvpvIY/:cOpuJqotcDNsWL9FP6ypvD
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
pid Process 3004 Stolprende.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 drive.google.com 5 drive.google.com -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\sdeliges.hav Stolprende.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1676 Stolprende.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3004 Stolprende.exe 1676 Stolprende.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3004 set thread context of 1676 3004 Stolprende.exe 29 PID 1676 set thread context of 1192 1676 Stolprende.exe 21 PID 1676 set thread context of 1700 1676 Stolprende.exe 34 PID 1700 set thread context of 1192 1700 fontview.exe 21 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\sulidae.imp Stolprende.exe File opened for modification C:\Program Files (x86)\Common Files\hidse.inc Stolprende.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\Keypads\bundproppernes.Goy182 Stolprende.exe File opened for modification C:\Windows\indgiv.syd Stolprende.exe File opened for modification C:\Windows\afrits.ini Stolprende.exe File opened for modification C:\Windows\Fonts\Commodores69.ryk Stolprende.exe File opened for modification C:\Windows\resources\lejlighedsdigtes\isosmotically.pin Stolprende.exe File opened for modification C:\Windows\resources\braknses\overvejende.myo Stolprende.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1676 Stolprende.exe 1676 Stolprende.exe 1676 Stolprende.exe 1676 Stolprende.exe 1676 Stolprende.exe 1676 Stolprende.exe 1676 Stolprende.exe 1676 Stolprende.exe 1700 fontview.exe 1700 fontview.exe 1700 fontview.exe 1700 fontview.exe 1700 fontview.exe 1700 fontview.exe 1700 fontview.exe 1700 fontview.exe 1700 fontview.exe 1700 fontview.exe 1700 fontview.exe 1700 fontview.exe 1700 fontview.exe 1700 fontview.exe 1700 fontview.exe 1700 fontview.exe 1700 fontview.exe 1700 fontview.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 3004 Stolprende.exe 1676 Stolprende.exe 1676 Stolprende.exe 1700 fontview.exe 1700 fontview.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1192 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3004 wrote to memory of 1676 3004 Stolprende.exe 29 PID 3004 wrote to memory of 1676 3004 Stolprende.exe 29 PID 3004 wrote to memory of 1676 3004 Stolprende.exe 29 PID 3004 wrote to memory of 1676 3004 Stolprende.exe 29 PID 3004 wrote to memory of 1676 3004 Stolprende.exe 29 PID 3004 wrote to memory of 1676 3004 Stolprende.exe 29 PID 1676 wrote to memory of 1700 1676 Stolprende.exe 34 PID 1676 wrote to memory of 1700 1676 Stolprende.exe 34 PID 1676 wrote to memory of 1700 1676 Stolprende.exe 34 PID 1676 wrote to memory of 1700 1676 Stolprende.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\Stolprende.exe"C:\Users\Admin\AppData\Local\Temp\Stolprende.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\Stolprende.exe"C:\Users\Admin\AppData\Local\Temp\Stolprende.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SysWOW64\fontview.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1700
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD59625d5b1754bc4ff29281d415d27a0fd
SHA180e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b