Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 21:53

General

  • Target

    43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe

  • Size

    407KB

  • MD5

    d0306eecb1329a6d25e3859eb094a246

  • SHA1

    47f618e7478d4e14f7f072cd3bc7aa6b95310113

  • SHA256

    43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5

  • SHA512

    f352abd59ab5f0f74c562aa663038474e2039b8a4b5b3121cdf2d082da778953720483849a92298f6ee46fb82d51232e4776eff817fbb58526b7c127581a04fc

  • SSDEEP

    12288:vGjaO1u7KkTfCqYaU6n9MepLgHCV8kEm87W:vGb+KkTfCBaFn9dLgqlEm8C

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe
    "C:\Users\Admin\AppData\Local\Temp\43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Recontest=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Leptosomic26.Udt';$Genskabninger=$Recontest.SubString(51485,3);.$Genskabninger($Recontest)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Users\Admin\AppData\Local\Temp\Ancome.exe
        "C:\Users\Admin\AppData\Local\Temp\Ancome.exe"
        3⤵
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3502430532-24693940-2469786940-1000\0f5007522459c86e95ffcc62f32308f1_f42ec065-7b23-4f0f-9aa0-d097eed4c26e

    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3502430532-24693940-2469786940-1000\0f5007522459c86e95ffcc62f32308f1_f42ec065-7b23-4f0f-9aa0-d097eed4c26e

    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

  • C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Leptosomic26.Udt

    Filesize

    68KB

    MD5

    dbdaecdd9f7e16dc10dae658d357276c

    SHA1

    542144045872fd985ba68c035d703c526e03527f

    SHA256

    e974c25440e143e007ca3b5bed2d5769e8af0218b3417e1f8d78830de4c1e697

    SHA512

    d71e47d497921b191410567997765329c1906d4ec88a3283b21653913b60fb08dd8523744b8add57f0ff18db3031d195fb63ac13ad268fec6eee4baf5050a466

  • C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Wienerstole.Mel

    Filesize

    351KB

    MD5

    c8be19808a52e77d42070331b31dc56e

    SHA1

    d4cf31931b64d7dd935cb8ed5c0fba9999bd53c8

    SHA256

    76d5da3613cd82da47fb5b91e01b24726380757c2b415e69df91a67fa2ee6a74

    SHA512

    11f457c25dd24c323f213f810e32bdd5a468cf5f79e306c3b34d91d0fcbc04cea225003e0e00782a28a036f40d9e226b863686f8f3285f81eadabcfc637b9369

  • \Users\Admin\AppData\Local\Temp\Ancome.exe

    Filesize

    407KB

    MD5

    d0306eecb1329a6d25e3859eb094a246

    SHA1

    47f618e7478d4e14f7f072cd3bc7aa6b95310113

    SHA256

    43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5

    SHA512

    f352abd59ab5f0f74c562aa663038474e2039b8a4b5b3121cdf2d082da778953720483849a92298f6ee46fb82d51232e4776eff817fbb58526b7c127581a04fc

  • memory/2332-20-0x0000000074350000-0x00000000748FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2332-18-0x0000000074350000-0x00000000748FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2332-15-0x0000000074350000-0x00000000748FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2332-11-0x0000000074351000-0x0000000074352000-memory.dmp

    Filesize

    4KB

  • memory/2332-22-0x0000000074350000-0x00000000748FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2332-21-0x00000000066A0000-0x0000000009134000-memory.dmp

    Filesize

    42.6MB

  • memory/2332-14-0x0000000074350000-0x00000000748FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2332-13-0x0000000074350000-0x00000000748FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2332-12-0x0000000074350000-0x00000000748FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2840-27-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/2840-47-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/2840-49-0x0000000001470000-0x0000000003F04000-memory.dmp

    Filesize

    42.6MB