Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
04/07/2024, 00:14
240704-aja8yatdpj 1004/07/2024, 00:13
240704-ahtc5atdmp 1004/07/2024, 00:12
240704-ag9cysvgma 1004/07/2024, 00:05
240704-adjywstbnr 1003/07/2024, 23:40
240703-3n1cvascrn 1003/07/2024, 23:38
240703-3mqr1stere 10Analysis
-
max time kernel
300s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 00:14
Behavioral task
behavioral1
Sample
Lowkey_Spoofer.zip
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
Lowkey/Lowkey/LowkeySpoofer.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
discord_token_grabber.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
get_cookies.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
misc.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
passwords_grabber.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
source_prepared.pyc
Resource
win10v2004-20240611-en
General
-
Target
source_prepared.pyc
-
Size
168KB
-
MD5
426743ad2ba02e7a8646b4749528ae0f
-
SHA1
ac1a08da33334c839724e8680e5eade25d7cc717
-
SHA256
0f9ba44d8db56a7f478e6e70086024420794d417035a2fabadca101f602d441f
-
SHA512
aa87ef2e76ed8670e9e40ac01a4c385e31b652543af5fdbc1b7b8b5c934e94a2bf13562b3dddfd6e6223125a6650beb6a11441261d9c44e30dca1f8da6b8a6af
-
SSDEEP
3072:teTH1NaOO/5ESl1RdotPZTJ0pZXScT0o+IvdXzUsTWP:sNaOO/5ESFdoCpUY0oosS
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4208 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 1592 OpenWith.exe 1592 OpenWith.exe 1592 OpenWith.exe 1592 OpenWith.exe 1592 OpenWith.exe 1592 OpenWith.exe 1592 OpenWith.exe 1592 OpenWith.exe 1592 OpenWith.exe 1592 OpenWith.exe 1592 OpenWith.exe 1592 OpenWith.exe 1592 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1592 wrote to memory of 4208 1592 OpenWith.exe 102 PID 1592 wrote to memory of 4208 1592 OpenWith.exe 102
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc1⤵
- Modifies registry class
PID:4472
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc2⤵
- Opens file in notepad (likely ransom note)
PID:4208
-