Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
16/07/2024, 05:14
Static task
static1
Behavioral task
behavioral1
Sample
733e1c6851f36fdbb0e3bad19ee09980N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
733e1c6851f36fdbb0e3bad19ee09980N.exe
Resource
win10v2004-20240709-en
General
-
Target
733e1c6851f36fdbb0e3bad19ee09980N.exe
-
Size
847KB
-
MD5
733e1c6851f36fdbb0e3bad19ee09980
-
SHA1
8c885eca455287b319193a31abf32d398ec019d8
-
SHA256
d5386caad6ba9e808acca20d63fc451c27adfa7f81dd7b6cb1ac1e8ecf752603
-
SHA512
0b0fb22c38c4168965c42227b83473b52a51bfed3fa211046a8e76b2436af65fbefbc3402cc8eb7f94331fb664e8426d527977f92f54616fe98c5c61f89d5569
-
SSDEEP
12288:+GdQQdRcc8xl/hy/m6Io77RAKVtgVpA9TUsUzq9Yt5IlSOArWFazwb3C2kUz:+OQQGfCm6IQAE59TUEGylNArWgqC2ky
Malware Config
Extracted
netwire
94.242.59.7:56565
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
VPS
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Appleaddict45@
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
resource yara_rule behavioral1/memory/1008-14-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/1008-26-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/1008-30-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral1/memory/1008-97-0x0000000000400000-0x000000000041E000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
pid Process 2020 conhost.exe -
Loads dropped DLL 3 IoCs
pid Process 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe 2020 conhost.exe 2020 conhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\BjrService = "C:\\Users\\Admin\\AppData\\Roaming\\IpdService\\contest.exe" 733e1c6851f36fdbb0e3bad19ee09980N.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2320 set thread context of 1008 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe 30 PID 2320 set thread context of 1008 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 2668 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2668 AUDIODG.EXE Token: 33 2668 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2668 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2020 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe 29 PID 2320 wrote to memory of 2020 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe 29 PID 2320 wrote to memory of 2020 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe 29 PID 2320 wrote to memory of 2020 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe 29 PID 2320 wrote to memory of 1008 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe 30 PID 2320 wrote to memory of 1008 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe 30 PID 2320 wrote to memory of 1008 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe 30 PID 2320 wrote to memory of 1008 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe 30 PID 2320 wrote to memory of 1008 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe 30 PID 2320 wrote to memory of 1008 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe 30 PID 2320 wrote to memory of 1008 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe 30 PID 2320 wrote to memory of 1008 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe 30 PID 2320 wrote to memory of 1008 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe 30 PID 2320 wrote to memory of 1008 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe 30 PID 2320 wrote to memory of 1008 2320 733e1c6851f36fdbb0e3bad19ee09980N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\733e1c6851f36fdbb0e3bad19ee09980N.exe"C:\Users\Admin\AppData\Local\Temp\733e1c6851f36fdbb0e3bad19ee09980N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020
-
-
C:\Users\Admin\AppData\Local\Temp\733e1c6851f36fdbb0e3bad19ee09980N.exe"C:\Users\Admin\AppData\Local\Temp\733e1c6851f36fdbb0e3bad19ee09980N.exe"2⤵PID:1008
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5141⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5780d14604d49e3c634200c523def8351
SHA1e208ef6f421d2260070a9222f1f918f1de0a8eeb
SHA256844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2
SHA512a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b
-
Filesize
565KB
MD5e2f36b23167882c584d1ef1642fc2b01
SHA141ad4b4f935c54b284f8b993efa9f5e81a887006
SHA256a417e8c0a5e9f8a93743e4c8972cfc4f912ec0f9000f706df4836037dca38d53
SHA512c42bd7158d64e73d6ffb1097d062fd30a646b445d05e722f28403d13a1c721c8bfc81b3f06701d5b373f74ec666c169cd6dec67e83bb22b9e0887194b1c1abc1
-
Filesize
547KB
MD57b677aa98986a1145c31bc858fc45244
SHA18cc61dbeca97c9e00bd2c919a99e9757d882381e
SHA2567fc4cef987d57a407101ffec1aeb75233c758449597665b1635cdbf4aa7bd8fa
SHA512c7a43d810adf73cd042f456fe8f64a4bff5edd73d37a6b9bb6c8d4bfbb3e422a95a0bc7a9de9b84b5e587fd543a75b60df78d7819c26e0eb681290d8bee1b63b