Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
04/07/2024, 00:14
240704-aja8yatdpj 1004/07/2024, 00:13
240704-ahtc5atdmp 1004/07/2024, 00:12
240704-ag9cysvgma 1004/07/2024, 00:05
240704-adjywstbnr 1003/07/2024, 23:40
240703-3n1cvascrn 1003/07/2024, 23:38
240703-3mqr1stere 10Analysis
-
max time kernel
149s -
max time network
278s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 00:14
Behavioral task
behavioral1
Sample
Lowkey_Spoofer.zip
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
Lowkey/Lowkey/LowkeySpoofer.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
discord_token_grabber.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
get_cookies.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
misc.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
passwords_grabber.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
source_prepared.pyc
Resource
win10v2004-20240611-en
General
-
Target
misc.pyc
-
Size
4KB
-
MD5
204ee497021e32209ddde0c015b4dc19
-
SHA1
6aa2c039e6b6fbfb3620d4fe42d115553702146b
-
SHA256
a8355eef70645468d11a410d1402e0cab31a194e87172b523b1ff3dea5dbb0c2
-
SHA512
961b15c0efe0478fdf9287e7b3b709233bcd9524be708f426b75dc91eb07ddfc2a2ce4f347d52a3e7402f5307ab755af093d660662fd3c4c465fd41e8d138d12
-
SSDEEP
96:ySMlhlv6KPDweHPF8+VB7sHIZGhIW0vmyyZ1k93hub:LolvJ0evq+VBXZGh4vmV1kFhub
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3156 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 4284 OpenWith.exe 4284 OpenWith.exe 4284 OpenWith.exe 4284 OpenWith.exe 4284 OpenWith.exe 4284 OpenWith.exe 4284 OpenWith.exe 4284 OpenWith.exe 4284 OpenWith.exe 4284 OpenWith.exe 4284 OpenWith.exe 4284 OpenWith.exe 4284 OpenWith.exe 4284 OpenWith.exe 4284 OpenWith.exe 4284 OpenWith.exe 4284 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4284 wrote to memory of 3156 4284 OpenWith.exe 93 PID 4284 wrote to memory of 3156 4284 OpenWith.exe 93
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\misc.pyc1⤵
- Modifies registry class
PID:2160
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\misc.pyc2⤵
- Opens file in notepad (likely ransom note)
PID:3156
-