Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
04/07/2024, 00:14
240704-aja8yatdpj 1004/07/2024, 00:13
240704-ahtc5atdmp 1004/07/2024, 00:12
240704-ag9cysvgma 1004/07/2024, 00:05
240704-adjywstbnr 1003/07/2024, 23:40
240703-3n1cvascrn 1003/07/2024, 23:38
240703-3mqr1stere 10Analysis
-
max time kernel
296s -
max time network
299s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 00:14
Behavioral task
behavioral1
Sample
Lowkey_Spoofer.zip
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
Lowkey/Lowkey/LowkeySpoofer.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
discord_token_grabber.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
get_cookies.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
misc.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
passwords_grabber.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
source_prepared.pyc
Resource
win10v2004-20240611-en
General
-
Target
get_cookies.pyc
-
Size
9KB
-
MD5
9bdb8627dc166823e7d60603575b689a
-
SHA1
de56b5f8b3e891ad07760544132bd357f1e62368
-
SHA256
1078edad1660d103c2135793ea9707e4ef7877fb4be7b87c0e538ed84920212c
-
SHA512
789d21f744eff44456585fd27cd88a67e26b55ed1a043aa76a4b5e63f7dfad99013ca09b15fabecd041f8d35f8d22502c08efd0bb11d26ca083f02a64eae6d3a
-
SSDEEP
192:kNal3eiNis9QfUFoxJvm79F211G67+PtAhN:kJiB2lrj7jKlAhN
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4588 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 4492 OpenWith.exe 4492 OpenWith.exe 4492 OpenWith.exe 4492 OpenWith.exe 4492 OpenWith.exe 4492 OpenWith.exe 4492 OpenWith.exe 4492 OpenWith.exe 4492 OpenWith.exe 4492 OpenWith.exe 4492 OpenWith.exe 4492 OpenWith.exe 4492 OpenWith.exe 4492 OpenWith.exe 4492 OpenWith.exe 4492 OpenWith.exe 4492 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4492 wrote to memory of 4588 4492 OpenWith.exe 90 PID 4492 wrote to memory of 4588 4492 OpenWith.exe 90
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc1⤵
- Modifies registry class
PID:1228
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc2⤵
- Opens file in notepad (likely ransom note)
PID:4588
-