Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

26/06/2024, 10:20

240626-mc9jdasfmr 10

26/06/2024, 10:17

240626-mbemlssepl 10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    26/06/2024, 10:20

General

  • Target

    Loader.exe

  • Size

    304KB

  • MD5

    f896c2bfec649637e85c463e3a70b2a6

  • SHA1

    04d65945a3b79ee5b48a7e7e22fd24c8198fe332

  • SHA256

    d4917f32cf3755b07badf1179d6717d4f17618cb68184f0dda48f4a4bbb45376

  • SHA512

    0fed9a755f93198e795aac73aff0e17478cd51ffb9c19f80fdfdaf53374b32e2016bf83f0415f253b6f76e736cb36fad5269021d73972749c3d3d84206c6ebe0

  • SSDEEP

    6144:bFcT6MDdbICydeBvtCikGW9mhL8PzeVAOe044E:bFK1CikGemQHOeGE

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1255437795820966010/0VVoLF2QZxnBkoGw_P4ovEIbuHZLKgsoVU8zu2nEJgchI5ahmWwv98_frx1Jjvk7GNic

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • BlackGuard

    Infostealer first seen in Late 2021.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Adds Run key to start application
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Process.txt

    Filesize

    386B

    MD5

    0d09bed9ea652d94cdb1a36dea319996

    SHA1

    3b3347bbdb0e5fe36e5b05f1a536d174ea4a1cfd

    SHA256

    e72f92add34544d9c2684c80df080ff133c50158165680689af16c020bfcaabc

    SHA512

    581997b18855f956b430dbffcee74fd9197c8f5ab1b884276f7b6ca61f8a3414f0547f0670cf70c658013f94b71c7bb0abc115ab450fbdb15b32ed6577f7f2df

  • memory/3032-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

    Filesize

    4KB

  • memory/3032-1-0x0000000000870000-0x00000000008C2000-memory.dmp

    Filesize

    328KB

  • memory/3032-2-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

    Filesize

    9.9MB

  • memory/3032-50-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

    Filesize

    9.9MB