Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14/06/2024, 01:08
Behavioral task
behavioral1
Sample
d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe
Resource
win10v2004-20240508-en
General
-
Target
d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe
-
Size
313KB
-
MD5
2aeeb429e9290526b96bf4b58b2411ad
-
SHA1
4b4527fbd51763b51d4acebcf157ba3bd5082ce1
-
SHA256
d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975
-
SHA512
8de691347446377838638dd97ab36ad4fbec672be0158451778901bf4ee62b6002f18fe06c7365b952d0650308eb78dadd9d338c91c67b181041807004c242cc
-
SSDEEP
6144:48XN6W8mmHPtppXPSi9b4qt3GPMVRSbfWraqe9s:FN6qatppXP1t3jcWraq
Malware Config
Extracted
xworm
5.1
119.59.98.116:7812
JBMeOx2rIgGrdV0y
-
Install_directory
%AppData%
-
install_file
Windows Defender security.exe
-
telegram
https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
119.59.98.116:7812
WindowsDefendersecurityService
-
delay
1
-
install
true
-
install_file
Windows Defender Security Service.exe
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x00070000000233fd-18.dat family_xworm behavioral2/memory/2140-39-0x0000000000910000-0x0000000000920000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral2/files/0x0006000000023278-7.dat family_stormkitty behavioral2/memory/4496-41-0x0000000000720000-0x0000000000750000-memory.dmp family_stormkitty -
Async RAT payload 2 IoCs
resource yara_rule behavioral2/files/0x0006000000023278-7.dat family_asyncrat behavioral2/files/0x00070000000233fe-29.dat family_asyncrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Windows Defender security.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Windows Security Service Host.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender security.lnk Windows Defender security.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender security.lnk Windows Defender security.exe -
Executes dropped EXE 7 IoCs
pid Process 4496 svchost.exe 2140 Windows Defender security.exe 3404 Windows Security Service Host.exe 4036 Windows Defender Security Service.exe 1740 Windows Defender security.exe 2468 Windows Defender security.exe 1096 Windows Defender security.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender security = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender security.exe" Windows Defender security.exe -
Drops desktop.ini file(s) 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3692 schtasks.exe 3616 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4484 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2140 Windows Defender security.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 3404 Windows Security Service Host.exe 2140 Windows Defender security.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4496 svchost.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4496 svchost.exe 4496 svchost.exe 4496 svchost.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe 4036 Windows Defender Security Service.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2140 Windows Defender security.exe Token: SeDebugPrivilege 3404 Windows Security Service Host.exe Token: SeDebugPrivilege 4496 svchost.exe Token: SeDebugPrivilege 3404 Windows Security Service Host.exe Token: SeDebugPrivilege 4036 Windows Defender Security Service.exe Token: SeDebugPrivilege 4036 Windows Defender Security Service.exe Token: SeDebugPrivilege 1740 Windows Defender security.exe Token: SeDebugPrivilege 2468 Windows Defender security.exe Token: SeDebugPrivilege 1096 Windows Defender security.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2140 Windows Defender security.exe 4036 Windows Defender Security Service.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 4344 wrote to memory of 4496 4344 d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe 85 PID 4344 wrote to memory of 4496 4344 d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe 85 PID 4344 wrote to memory of 4496 4344 d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe 85 PID 4344 wrote to memory of 2140 4344 d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe 86 PID 4344 wrote to memory of 2140 4344 d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe 86 PID 4344 wrote to memory of 3404 4344 d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe 87 PID 4344 wrote to memory of 3404 4344 d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe 87 PID 3404 wrote to memory of 3620 3404 Windows Security Service Host.exe 88 PID 3404 wrote to memory of 3620 3404 Windows Security Service Host.exe 88 PID 3404 wrote to memory of 1436 3404 Windows Security Service Host.exe 90 PID 3404 wrote to memory of 1436 3404 Windows Security Service Host.exe 90 PID 1436 wrote to memory of 4484 1436 cmd.exe 92 PID 1436 wrote to memory of 4484 1436 cmd.exe 92 PID 3620 wrote to memory of 3692 3620 cmd.exe 93 PID 3620 wrote to memory of 3692 3620 cmd.exe 93 PID 2140 wrote to memory of 3616 2140 Windows Defender security.exe 94 PID 2140 wrote to memory of 3616 2140 Windows Defender security.exe 94 PID 1436 wrote to memory of 4036 1436 cmd.exe 97 PID 1436 wrote to memory of 4036 1436 cmd.exe 97 PID 4496 wrote to memory of 4480 4496 svchost.exe 98 PID 4496 wrote to memory of 4480 4496 svchost.exe 98 PID 4496 wrote to memory of 4480 4496 svchost.exe 98 PID 4480 wrote to memory of 4972 4480 cmd.exe 100 PID 4480 wrote to memory of 4972 4480 cmd.exe 100 PID 4480 wrote to memory of 4972 4480 cmd.exe 100 PID 4480 wrote to memory of 4728 4480 cmd.exe 101 PID 4480 wrote to memory of 4728 4480 cmd.exe 101 PID 4480 wrote to memory of 4728 4480 cmd.exe 101 PID 4480 wrote to memory of 2612 4480 cmd.exe 102 PID 4480 wrote to memory of 2612 4480 cmd.exe 102 PID 4480 wrote to memory of 2612 4480 cmd.exe 102 PID 4496 wrote to memory of 3416 4496 svchost.exe 103 PID 4496 wrote to memory of 3416 4496 svchost.exe 103 PID 4496 wrote to memory of 3416 4496 svchost.exe 103 PID 3416 wrote to memory of 4940 3416 cmd.exe 105 PID 3416 wrote to memory of 4940 3416 cmd.exe 105 PID 3416 wrote to memory of 4940 3416 cmd.exe 105 PID 3416 wrote to memory of 2808 3416 cmd.exe 106 PID 3416 wrote to memory of 2808 3416 cmd.exe 106 PID 3416 wrote to memory of 2808 3416 cmd.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe"C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:4972
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵PID:4728
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵PID:2612
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:4940
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵PID:2808
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender security" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"3⤵
- Creates scheduled task(s)
PID:3616
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe"C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender Security Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Defender Security Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"'4⤵
- Creates scheduled task(s)
PID:3692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp536F.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:4484
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4036
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
178B
MD5cd3233af885693391fdec5620c3880c4
SHA19c4f8a2582c0e29d6104638f1aa71310093757d9
SHA2563a9df5ba36d093a95a94faa569491080b82ad38886c3f7c0a7e631a603383b4a
SHA51295f5b7107e8e885d4dc14332d408c52214704c4aa6c32bad9541c46b39dcbe20426e6197fc1614289e5829efe46433abb4c19f84f39f758f714cab163138e8a9
-
C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\System\Process.txt
Filesize4KB
MD516b379e5e9278c314460b4ce33724b2d
SHA1958af972b0393f189ece396a948a778b97f9b9da
SHA2566bd26a9e258db86c9b1cab9d369958a5617f21034a85a4cbf7564f488f59e9e9
SHA512de0eae30a8e4797754cb20c5a246cd69cc2920fd535fd3f6e8edc6bd6afc3657984b27ff236624cfeffe02a7ed1c82a9cf0d62f3cfaad18b9a0dc1c6d9cfa356
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
42KB
MD5454abb9d524208fb694e7e70c0fbc56a
SHA1060037a032fa3ccf469d902e12c1523e00040748
SHA256c93c27a171d7a883f34e944d16bb47f0e949eb36181060f923e4d8df8da24298
SHA512dd390f87dfb7f80074c92a61ae1ee65193855dc0b7dafe14ae65aedffb92625d6ebb5ea9fac9e452ad0ee4b3bb0d8923a926793c87a4af745f718921688d4b54
-
Filesize
74KB
MD5c3f58ffd73d3afc5cc08a29dc5a864c8
SHA1aad0a8c93043e3a4f7c422278c9c02a016ed55b7
SHA25627d16a4b6970b62bc05c437177605391f7788a3e602e69da9d1375ace81b4ee2
SHA5124d45d348bbbc2d503eea99c7265e68c6ce87cf8be982ba153c6e8e6c58484476fc4287a91f8cff2eaa3f4ff1de04e02b2b4bcb597326c6963b28967670fc50b7
-
Filesize
170KB
MD51d94cbce42232d67fb1e032e1e61d77e
SHA10f10e767c0cba85a39122b8e040c976de50dc468
SHA2565b9f1c1780a2889685343734f81db30b92b7407cc8e476d01cf4f46d37db04a9
SHA5125f8a3c1d35fe009b36c54bed90e8ce44bba86180a409855b10b4693d123f1c323f8c928507d01ba552eff6e387074a07736bb7851dbf1984db0d750107eaeff4