Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
07/07/2024, 22:31 UTC
Behavioral task
behavioral1
Sample
ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe
Resource
win10v2004-20240704-en
General
-
Target
ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe
-
Size
111KB
-
MD5
6c2c7ef5b5716d674991e364750ff233
-
SHA1
abce149b0532326458909c21e6e13063a92f3251
-
SHA256
ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73
-
SHA512
cf673f324030bb23bfce9e09d3c8d10ceb108fb962557a141f1200d31e89ec4e4c1654d3d6c0657eb38ba4942ab0cc6a7bfffd6159c8d989214c6b94350113ea
-
SSDEEP
1536:L66Cxsr7any9okBEO623Dnii5/u/TMhDLLUfmK5eR+2yMV:Qx6any1EO623/5G/Q1LQmK5eRFt
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot6861530662:AAFueJRxaIZGz_oVT2-CVuuL9N0MRsh-5_Y/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2528 ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe 2528 ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe 2528 ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe 2528 ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe 2528 ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe 2528 ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe 2528 ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe 2528 ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe 2528 ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe 2528 ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2528 ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2788 2528 ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe 33 PID 2528 wrote to memory of 2788 2528 ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe 33 PID 2528 wrote to memory of 2788 2528 ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe"C:\Users\Admin\AppData\Local\Temp\ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2528 -s 23362⤵PID:2788
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2872
Network
-
Remote address:8.8.8.8:53Requestget.geojs.ioIN AResponseget.geojs.ioIN A172.67.70.233get.geojs.ioIN A104.26.1.100get.geojs.ioIN A104.26.0.100
-
GEThttps://get.geojs.io/v1/ip/geo.jsonad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exeRemote address:172.67.70.233:443RequestGET /v1/ip/geo.json HTTP/1.1
Host: get.geojs.io
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
x-request-id: 70526e74c814c78166ca2bd51b1222d6-AMS
strict-transport-security: max-age=15552000; includeSubDomains; preload
access-control-allow-origin: *
access-control-allow-methods: GET
pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, private, max-age=0
x-geojs-location: AMS
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0A212A5ptT13dppL0OX5vyx721Y%2FeXS3bMTZp1cMCZE8SXWL3So9NUI1NEvIexG%2Bte%2FQVB7S1eQPvu4pqcD1AG4FeRTp73kgp0k52zP6o2OLnWO%2BJZWNuItz4ZPH4w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 89fb48bdfe4d774f-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestapi.telegram.orgIN AResponseapi.telegram.orgIN A149.154.167.220
-
172.67.70.233:443https://get.geojs.io/v1/ip/geo.jsontls, httpad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe723 B 6.2kB 8 9
HTTP Request
GET https://get.geojs.io/v1/ip/geo.jsonHTTP Response
200 -
149.154.167.220:443api.telegram.orgtlsad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe388 B 219 B 5 5
-
58 B 106 B 1 1
DNS Request
get.geojs.io
DNS Response
172.67.70.233104.26.1.100104.26.0.100
-
8.8.8.8:53api.telegram.orgdnsad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe62 B 78 B 1 1
DNS Request
api.telegram.org
DNS Response
149.154.167.220