Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
26/06/2024, 10:20
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Loader.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
Loader.exe
Resource
win11-20240508-en
General
-
Target
Loader.exe
-
Size
304KB
-
MD5
f896c2bfec649637e85c463e3a70b2a6
-
SHA1
04d65945a3b79ee5b48a7e7e22fd24c8198fe332
-
SHA256
d4917f32cf3755b07badf1179d6717d4f17618cb68184f0dda48f4a4bbb45376
-
SHA512
0fed9a755f93198e795aac73aff0e17478cd51ffb9c19f80fdfdaf53374b32e2016bf83f0415f253b6f76e736cb36fad5269021d73972749c3d3d84206c6ebe0
-
SSDEEP
6144:bFcT6MDdbICydeBvtCikGW9mhL8PzeVAOe044E:bFK1CikGemQHOeGE
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1255437795820966010/0VVoLF2QZxnBkoGw_P4ovEIbuHZLKgsoVU8zu2nEJgchI5ahmWwv98_frx1Jjvk7GNic
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loader.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Loader.exe\"" Loader.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 api.ipify.org 4 freegeoip.app 5 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Loader.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Loader.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3032 Loader.exe 3032 Loader.exe 3032 Loader.exe 3032 Loader.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3032 Loader.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
386B
MD50d09bed9ea652d94cdb1a36dea319996
SHA13b3347bbdb0e5fe36e5b05f1a536d174ea4a1cfd
SHA256e72f92add34544d9c2684c80df080ff133c50158165680689af16c020bfcaabc
SHA512581997b18855f956b430dbffcee74fd9197c8f5ab1b884276f7b6ca61f8a3414f0547f0670cf70c658013f94b71c7bb0abc115ab450fbdb15b32ed6577f7f2df