Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25/07/2024, 09:52
Static task
static1
Behavioral task
behavioral1
Sample
3071ac42b0c7407d7982843858e9df6a697f4b83dd4281394fef5e79bfea2bb5.js
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3071ac42b0c7407d7982843858e9df6a697f4b83dd4281394fef5e79bfea2bb5.js
Resource
win10v2004-20240709-en
General
-
Target
3071ac42b0c7407d7982843858e9df6a697f4b83dd4281394fef5e79bfea2bb5.js
-
Size
271KB
-
MD5
06423b5a0a4d4f444ea943e2bdaa5461
-
SHA1
3f839dd6da834bc4df8faf8bac49dd7f34b5cd50
-
SHA256
3071ac42b0c7407d7982843858e9df6a697f4b83dd4281394fef5e79bfea2bb5
-
SHA512
ce60a82182ab2cc122b50a34131d0c376ebf1c14286658603199a4eefb6153bae18201400a5b29c4dbead906be9aeb028155a1d1af531c1fb81cf79e00f5d759
-
SSDEEP
1536:PfINtK3IadjNM9h/IaOlaStsiuvErox1Rti/KCEBFjgnC2EoKyr/sK4tF6ROX1Lu:PIyuvuM2EM0l3hWAzmp4h2GWjyHW
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
zulpine.shop - Port:
587 - Username:
[email protected] - Password:
LES5hyhe2NTe - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/1968-63-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 4536 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation WScript.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 55 checkip.dyndns.org -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3732 set thread context of 1968 3732 powershell.exe 108 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1168 vlc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3732 powershell.exe 3732 powershell.exe 3624 powershell.exe 3624 powershell.exe 3732 powershell.exe 3732 powershell.exe 1968 MSBuild.exe 1968 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1168 vlc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3732 powershell.exe Token: SeDebugPrivilege 3624 powershell.exe Token: SeDebugPrivilege 1968 MSBuild.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
pid Process 1168 vlc.exe 1168 vlc.exe 1168 vlc.exe 1168 vlc.exe 1168 vlc.exe 1168 vlc.exe 1168 vlc.exe 1168 vlc.exe 1168 vlc.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 1168 vlc.exe 1168 vlc.exe 1168 vlc.exe 1168 vlc.exe 1168 vlc.exe 1168 vlc.exe 1168 vlc.exe 1168 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1168 vlc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1044 wrote to memory of 3732 1044 WScript.exe 99 PID 1044 wrote to memory of 3732 1044 WScript.exe 99 PID 1044 wrote to memory of 3624 1044 WScript.exe 106 PID 1044 wrote to memory of 3624 1044 WScript.exe 106 PID 3732 wrote to memory of 1968 3732 powershell.exe 108 PID 3732 wrote to memory of 1968 3732 powershell.exe 108 PID 3732 wrote to memory of 1968 3732 powershell.exe 108 PID 3732 wrote to memory of 1968 3732 powershell.exe 108 PID 3732 wrote to memory of 1968 3732 powershell.exe 108 PID 3732 wrote to memory of 1968 3732 powershell.exe 108 PID 3732 wrote to memory of 1968 3732 powershell.exe 108 PID 3732 wrote to memory of 1968 3732 powershell.exe 108 PID 3732 wrote to memory of 2404 3732 powershell.exe 109 PID 3732 wrote to memory of 2404 3732 powershell.exe 109 PID 3624 wrote to memory of 3976 3624 powershell.exe 110 PID 3624 wrote to memory of 3976 3624 powershell.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\3071ac42b0c7407d7982843858e9df6a697f4b83dd4281394fef5e79bfea2bb5.js1⤵
- Blocklisted process makes network request
PID:4536
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\YLhjFraZZwiadZg.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1968
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3732" "2812" "2752" "2816" "0" "0" "2820" "0" "0" "0" "0" "0"3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2404
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3624" "2684" "2616" "2688" "0" "0" "2692" "0" "0" "0" "0" "0"3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3976
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SaveConfirm.snd"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53f01549ee3e4c18244797530b588dad9
SHA13e87863fc06995fe4b741357c68931221d6cc0b9
SHA25636b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA51273843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
217B
MD5b39888f367731f0fb791a24c3b4e0723
SHA1cee101659ec6637988ee846695f14ec49bc0366e
SHA256e7d985833b782b4e19c78a18db6cd1135bd2d068a8fbe1b99b4fcaf049870ce2
SHA5124ae8122bc462739b79388575b559af3920cd45c74b3e1f8833ca67edd5795eb961bcf25cbfd5daf5fbe247d395468a6f3a05eeeafeb3941b7abd5337ca5e3d59
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5846232d67f7da494b497587c523126b2
SHA1c6f74ea9967db2d49cccb549926b51ce111a4f8f
SHA256b8491e1dbbc563782e15b95ddf825915bda42b22487b6195acea9ce84941c5ae
SHA5125c8aa41f30f7c1491e807b05c99f425a7de69cf9741bd79523ab31a58f0dc756cb8ac1d022e519290a6ea493ef2bcf385fd3a2711535b9a101bb0850aee0b4f6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD594fda3db836b8e69a21a047a0289caf7
SHA16a6c81b7b3e377cca0830716b1ec64060829e078
SHA2563cb570b6df9c65f7803b0f0d39146c9a76900ad28501d7a9a0bef47054ff19fe
SHA51260dc6f10436b52dabfc05efc584b6ae0bf8914ee25ac650ff1956c1768094abea4c0c2f00c0023a2d8d1e95465c880f67c22c0294df97003b817b80c6af496a4
-
Filesize
1KB
MD5df8ff588cdd485fa5a69ac6622d2f279
SHA168ab587161288872a49a3aac287f61b9c6957ae3
SHA256034ad208a95827c958f8d30d4f4dbe1b630c0cb60aed8e229d52df64816d8a46
SHA5129d8baaad38fde02caec0d2a48b5c47b22e74b187cfaa82f1849b08172072efa5dc9fa0a11bd4c907a6ca2af2c184badd61549b0603b645190a39bb7970721475