Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
04/07/2024, 00:14
240704-aja8yatdpj 1004/07/2024, 00:13
240704-ahtc5atdmp 1004/07/2024, 00:12
240704-ag9cysvgma 1004/07/2024, 00:05
240704-adjywstbnr 1003/07/2024, 23:40
240703-3n1cvascrn 1003/07/2024, 23:38
240703-3mqr1stere 10Analysis
-
max time kernel
94s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 00:14
Behavioral task
behavioral1
Sample
Lowkey_Spoofer.zip
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
Lowkey/Lowkey/LowkeySpoofer.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
discord_token_grabber.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
get_cookies.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
misc.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
passwords_grabber.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
source_prepared.pyc
Resource
win10v2004-20240611-en
General
-
Target
passwords_grabber.pyc
-
Size
7KB
-
MD5
bbb6ab7b8230cca0ac46532a612143d0
-
SHA1
4bf5ebb19c5807cfb4b48191ec65b329d67763cd
-
SHA256
8655f8885fa28c9633563e0264e65206eae277fb020f85a836be27f0fc3d7ec4
-
SHA512
21353818de5a2e192bcdb38e0765b675258ae733eb634c1b01fbf53dc22946b0eee127c975be7a63d20a8db2b87521fe0ed85f2ec09dcc2f3adf5a7fea0b180e
-
SSDEEP
192:h114qWLfhuUIxzOK2cxDJb+XUhetovxEPz:V4qWLfMtzVxDAEW7
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 392 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 4120 OpenWith.exe 4120 OpenWith.exe 4120 OpenWith.exe 4120 OpenWith.exe 4120 OpenWith.exe 4120 OpenWith.exe 4120 OpenWith.exe 4120 OpenWith.exe 4120 OpenWith.exe 4120 OpenWith.exe 4120 OpenWith.exe 4120 OpenWith.exe 4120 OpenWith.exe 4120 OpenWith.exe 4120 OpenWith.exe 4120 OpenWith.exe 4120 OpenWith.exe 4120 OpenWith.exe 4120 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4120 wrote to memory of 392 4120 OpenWith.exe 93 PID 4120 wrote to memory of 392 4120 OpenWith.exe 93
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc1⤵
- Modifies registry class
PID:4492
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc2⤵
- Opens file in notepad (likely ransom note)
PID:392
-