Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    116s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    24/07/2024, 09:36

General

  • Target

    6ee09985aad01926c5ec335e48c36950N.exe

  • Size

    1.9MB

  • MD5

    6ee09985aad01926c5ec335e48c36950

  • SHA1

    e21abc81cb0516782168eda2bc1706f7bf1a3614

  • SHA256

    49a7d26eb8022c5edc59707b013f38d41ba8838f987e676f6385c3d46c7ab998

  • SHA512

    dafa5a6b7a4408f2e3d9b920ce4e03e45638ca767cb9dd585d7417bb6ce11b092287f08c7b97e9f8c9d2af7cdb6585dcb3c2bec36afdc22c460a5f0299e36a1a

  • SSDEEP

    49152:Q8t9VWdeTu1rsEJHCPwVmb8AKe3kAIugoiau0zZEjafp:Q8qeTUsRP+AKSZzJR

Malware Config

Signatures

  • Detects Strela Stealer payload 1 IoCs
  • Strela stealer

    An info stealer targeting mail credentials first seen in late 2022.

  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 11 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 39 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe
    "C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe
      "C:\Program Files (x86)\Common Files\supportdotcom\rang/driverinst64.exe" /Install
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3004
    • C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
      "C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" /provider supportdotcom /setup
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2248
    • C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
      "C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" /provider supportdotcom /regserver /start
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:1396
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{37cc2436-ef8e-1ac3-bf81-2607edbf665d}\ssmirrdr.inf" "9" "67bd61347" "0000000000000594" "WinSta0\Default" "00000000000002C8" "208" "c:\program files (x86)\common files\supportdotcom\rang"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2760
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "2" "211" "ROOT\SSMIRR_DRIVER\0000" "C:\Windows\INF\oem2.inf" "ssmirrdr.inf:ssmirrdr.Mfg.ntamd64:ssmirrdr:2.0.0.0:ssmirr_driver" "67bd61347" "0000000000000594" "0000000000000064" "0000000000000068"
    1⤵
    • Drops file in Drivers directory
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2944
  • C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
    "C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" -service "-provider" "supportdotcom"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe
      "ssrangui.exe" -start -ec 1 2647238069 -agentFriendlyName 'ATS Agent'
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      PID:3040
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:1804

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe

      Filesize

      16KB

      MD5

      38377a28f213b6bb042e60e4b457f516

      SHA1

      0499b92faa65cd1d00640715c998d2500ff4eebc

      SHA256

      ca67f164a2ee8be79fb156ac3cdbc154ea8a761bf49e88197c4c07a3a325a2a9

      SHA512

      e522e4a4157849612017af61b8e6db94c67503872a76fdfa1e342908f9292f296e7e462b8bf02155028e10e1860288bc5acb5490fa7b3136b19d6b8b68fe3319

    • C:\Program Files (x86)\supportdotcom\rang\ca-bundle.crt

      Filesize

      251KB

      MD5

      478f2561ec0658265a01993e00ee89f2

      SHA1

      3845dc7fd32fb08600ebd5902bc1bd7e7bfa63a1

      SHA256

      d42fa29fd8a06ea428d041a26d4e6831bbf8538f83032e922287832c39b06b86

      SHA512

      82636f4317d561a38134f919d6197abbeea56c2a2c750350148b54fb5b864babd8711876d6e322ffdd12489305ca96b9d209335998b922d2c9e4f198ae84f470

    • C:\Program Files (x86)\supportdotcom\rang\logs\ssrangsv_[7-24-2024 - 9.36.46].log

      Filesize

      309B

      MD5

      11c569068df757e0c6d81d167cd83448

      SHA1

      4e4d35d710bfe9911343007fb6f82875b691d390

      SHA256

      aa8f926c017d0e6fbc393653e82d0bd320904cf74bca38d50415874df9f37408

      SHA512

      329de1f37b240656f4ee0afe1ff3c0013bc35772726a78a704e4739551f42b2b7f4b84189ddd4a36f71fd4b3c9622481a53ba706433d4151538c120de9e09ba3

    • C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe

      Filesize

      2.2MB

      MD5

      8e1f07c8ec91b5c63eccd0c6cb00a027

      SHA1

      89afb7d39ed1935f25f8c43b60ab2fdcba58447f

      SHA256

      d82c089a395db0691c1c845b68c1b1743de8985feb47ec5e03f0db80a5c1b195

      SHA512

      138f90453e58a34f53cbd7d1700fbc9377c4d67f55119df5198d5575a1ab07e2d00e51562c14d9f8f8120169f2d977948a06cb600ba16c5d53e141b76e39f497

    • C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe

      Filesize

      1.7MB

      MD5

      69d7734b204b81b646d0f8576e7dc8d6

      SHA1

      a37786dcab45c963d44a135db52b21177847508b

      SHA256

      24316fd026bcf76caa990e27e3dfd38126fa5b71763fa576ccab43cba6eafb2e

      SHA512

      0d93c3b9f664c36af3568484352aa09925cf04f9ccdf07bf7a1c7dbd791cbb98b8c18043c8220fce0c9b3defab90586a86d2cddf225980518a3b9e854026c79d

    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      242B

      MD5

      ec313d5b7d7c9685e4d32ff05e6d5ea8

      SHA1

      c334fd6d27510fe6eb8fe684a54bbe7462466ec0

      SHA256

      7d2f91bd798d9d63f8011c9ad6ac3a895c2a4a36bffdca0cc79b2eb472da2f08

      SHA512

      679851f08233a3331a5536a76d1aeb24ddfc9162fe51e0c82779760f0209c7ec2aecd192fa911cf4cdfc811683b1e58e118e0fbd8008b53a2fbadab8d3c4d244

    • C:\Windows\System32\DriverStore\FileRepository\ssmirrdr.inf_amd64_neutral_f60e4a3bb7f7b95a\ssmirrdr.PNF

      Filesize

      9KB

      MD5

      6341c4eed3b4f77cd067cd2db2b592a9

      SHA1

      3594c5374a4fe9c9ba8046b06eea4ababd73b680

      SHA256

      bea564e0d2e00c48571b0992cd13a4aa163e7fc396f9d0d549cd8e5d025246f7

      SHA512

      321737ee2e210e1808a35fc3b5df860a0d6a6e617295ec97f68af912f66d500a215a24c084264b13e4dfce9353c645eb1363d6a327250ab34bf1835ee6a177a3

    • C:\Windows\System32\DriverStore\INFCACHE.1

      Filesize

      1.4MB

      MD5

      35b452e8bbebc7f7ea4969b7a82d1ffd

      SHA1

      57241b0d729f0dd2f91181fd59285c75bbb36a3d

      SHA256

      69d1fd51691f985a324f54da9c00e256c5f9f0f2231ba805a6fe813439ba9257

      SHA512

      665f1aa9cb8ca0bdbb0a6a7f3ec602561749ce54df7c1ed481c2d3af08147586df7c298a04ed7c0994940dd786001234f748041cd4c2800c352f5dbb568f71e3

    • C:\Windows\Temp\TarD79F.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Windows\inf\oem2.PNF

      Filesize

      9KB

      MD5

      fed87ccdd12af5095f46d54deed3ce09

      SHA1

      f7db563d5f63a011934c115245b8d1fe1af239a9

      SHA256

      31a7677b235b7b9cf7e9d81279366037279c13699e0bfd9823846afaaba705f3

      SHA512

      f3eff6ed1f5ae7d8ebb387c68a8f3ddf5770fb8f7c4da52628fae6f97cb31331f4230c188f3572607af9956573b68ba2b55be6fac1c98610268cb274c93ecc6a

    • \??\c:\PROGRA~2\COMMON~1\SUPPOR~1\rang\nt_amd64\ssmirrdr.dll

      Filesize

      31KB

      MD5

      28b26600204f79045eda8f7fd8ca3c86

      SHA1

      b9f19e36b80eb862370d99b466664380440af6d5

      SHA256

      5140f07b878efd1b74ee9f5821a207d1cee65952702ff75c49a4522face230c6

      SHA512

      aebd4425b846883e1f49da18edf3b7c96a9fb9ddb7ce709938b21eae169bdaeb5ce6bf8593638b5c887b26de7476b793a4691a7d56e46796bb658f1e516ad3c1

    • \??\c:\PROGRA~2\COMMON~1\SUPPOR~1\rang\nt_amd64\ssmirrdr.sys

      Filesize

      9KB

      MD5

      1100066057fbf612b573efd3b21383f1

      SHA1

      f95db83ea936f1fe70583a4eca810da807167dfe

      SHA256

      894f5a999e03807dffea67938d2e456d50d9e5511fe91d2e2293c51d98b3d87d

      SHA512

      62850de88b00daeab3299fec2bbd9aa0b07f766b96f42392310cb4f23c9e50f0aa8bc87f82e28cd99c195ea205a26c083d048cbac3341861dcee4a5eabb9dea8

    • \??\c:\program files (x86)\common files\supportdotcom\rang\ssmirrdr-nt_amd64.cat

      Filesize

      8KB

      MD5

      31f007d8f2de5e945dc2e2234628bc37

      SHA1

      76fb2cd66c869bae25589298a971b458bd06c18e

      SHA256

      a179d2176962ff702eb57417f931deb3e8c9f2cfb61311d767b243e111b83973

      SHA512

      170e8ac2cb4decb9fe07f8811c58155c377fc20af3748bcc33cdb203a2780c749f0cc721ba293874ecab1e0423682679ff7a1bccc26caa185af279796112dc18

    • \??\c:\program files (x86)\common files\supportdotcom\rang\ssmirrdr.inf

      Filesize

      2KB

      MD5

      6c4423d9cb9921a25de76b2d9f390f74

      SHA1

      5abdfd7b7d0e454a6ac117c90077b3379e48d666

      SHA256

      3cb8307e59f4483ec329cd2b92690a877eb4b3a0c3633c9e012a4f8aac249c82

      SHA512

      9f28e9a824e0983e180bcefdd347ee145c406e920f660622e34bedf5c3b7e7cd083c3f60528f135e341621248a53ad16cca5ebbb6c8b66af166304ab8b94628c

    • \Users\Admin\AppData\Local\Temp\nsdAD9E.tmp\System.dll

      Filesize

      11KB

      MD5

      c17103ae9072a06da581dec998343fc1

      SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

      SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

      SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f