Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

3071ac42b0...bb5.js

windows7-x64

8

3071ac42b0...bb5.js

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 09:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3071ac42b0c7407d7982843858e9df6a697f4b83dd4281394fef5e79bfea2bb5.js

  • Size

    271KB

  • MD5

    06423b5a0a4d4f444ea943e2bdaa5461

  • SHA1

    3f839dd6da834bc4df8faf8bac49dd7f34b5cd50

  • SHA256

    3071ac42b0c7407d7982843858e9df6a697f4b83dd4281394fef5e79bfea2bb5

  • SHA512

    ce60a82182ab2cc122b50a34131d0c376ebf1c14286658603199a4eefb6153bae18201400a5b29c4dbead906be9aeb028155a1d1af531c1fb81cf79e00f5d759

  • SSDEEP

    1536:PfINtK3IadjNM9h/IaOlaStsiuvErox1Rti/KCEBFjgnC2EoKyr/sK4tF6ROX1Lu:PIyuvuM2EM0l3hWAzmp4h2GWjyHW

Score
10/10
snakekeyloggercollectioncredential_accessdiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\3071ac42b0c7407d7982843858e9df6a697f4b83dd4281394fef5e79bfea2bb5.js
    1⤵
    • Blocklisted process makes network request
    PID:4536
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\YLhjFraZZwiadZg.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3732
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1968
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3732" "2812" "2752" "2816" "0" "0" "2820" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:2404
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3624
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3624" "2684" "2616" "2688" "0" "0" "2692" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:3976
  • C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SaveConfirm.snd"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3f01549ee3e4c18244797530b588dad9

    SHA1

    3e87863fc06995fe4b741357c68931221d6cc0b9

    SHA256

    36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

    SHA512

    73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    a26df49623eff12a70a93f649776dab7

    SHA1

    efb53bd0df3ac34bd119adf8788127ad57e53803

    SHA256

    4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

    SHA512

    e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_srzjbh2q.3kp.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    Filesize

    217B

    MD5

    b39888f367731f0fb791a24c3b4e0723

    SHA1

    cee101659ec6637988ee846695f14ec49bc0366e

    SHA256

    e7d985833b782b4e19c78a18db6cd1135bd2d068a8fbe1b99b4fcaf049870ce2

    SHA512

    4ae8122bc462739b79388575b559af3920cd45c74b3e1f8833ca67edd5795eb961bcf25cbfd5daf5fbe247d395468a6f3a05eeeafeb3941b7abd5337ca5e3d59

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    846232d67f7da494b497587c523126b2

    SHA1

    c6f74ea9967db2d49cccb549926b51ce111a4f8f

    SHA256

    b8491e1dbbc563782e15b95ddf825915bda42b22487b6195acea9ce84941c5ae

    SHA512

    5c8aa41f30f7c1491e807b05c99f425a7de69cf9741bd79523ab31a58f0dc756cb8ac1d022e519290a6ea493ef2bcf385fd3a2711535b9a101bb0850aee0b4f6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    94fda3db836b8e69a21a047a0289caf7

    SHA1

    6a6c81b7b3e377cca0830716b1ec64060829e078

    SHA256

    3cb570b6df9c65f7803b0f0d39146c9a76900ad28501d7a9a0bef47054ff19fe

    SHA512

    60dc6f10436b52dabfc05efc584b6ae0bf8914ee25ac650ff1956c1768094abea4c0c2f00c0023a2d8d1e95465c880f67c22c0294df97003b817b80c6af496a4

    Download Submit

  • C:\Users\Admin\YLhjFraZZwiadZg.vbs
    Filesize

    1KB

    MD5

    df8ff588cdd485fa5a69ac6622d2f279

    SHA1

    68ab587161288872a49a3aac287f61b9c6957ae3

    SHA256

    034ad208a95827c958f8d30d4f4dbe1b630c0cb60aed8e229d52df64816d8a46

    SHA512

    9d8baaad38fde02caec0d2a48b5c47b22e74b187cfaa82f1849b08172072efa5dc9fa0a11bd4c907a6ca2af2c184badd61549b0603b645190a39bb7970721475

    Download Submit

  • memory/1168-38-0x00007FFC5B600000-0x00007FFC5B611000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1168-23-0x00007FF7CC6C0000-0x00007FF7CC7B8000-memory.dmp

    Filesize

    992KB

    Download

  • memory/1168-30-0x00007FFC625D0000-0x00007FFC625E1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1168-33-0x00007FFC5B6C0000-0x00007FFC5B8CB000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1168-29-0x00007FFC62940000-0x00007FFC62957000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1168-28-0x00007FFC68AC0000-0x00007FFC68AD1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1168-27-0x00007FFC6C130000-0x00007FFC6C147000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1168-26-0x00007FFC71650000-0x00007FFC71668000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1168-25-0x00007FFC5B910000-0x00007FFC5BBC6000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1168-40-0x00007FFC5B5C0000-0x00007FFC5B5D1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1168-35-0x00007FFC5B670000-0x00007FFC5B6B1000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1168-41-0x00007FFC59060000-0x00007FFC590F8000-memory.dmp

    Filesize

    608KB

    Download

  • memory/1168-39-0x00007FFC5B5E0000-0x00007FFC5B5F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1168-32-0x00007FFC5B8D0000-0x00007FFC5B8E1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1168-37-0x00007FFC5B620000-0x00007FFC5B638000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1168-36-0x00007FFC5B640000-0x00007FFC5B661000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1168-34-0x00007FFC56E90000-0x00007FFC57F40000-memory.dmp

    Filesize

    16.7MB

    Download

  • memory/1168-31-0x00007FFC5B8F0000-0x00007FFC5B90D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1168-24-0x00007FFC63150000-0x00007FFC63184000-memory.dmp

    Filesize

    208KB

    Download

  • memory/1168-117-0x00007FFC56E90000-0x00007FFC57F40000-memory.dmp

    Filesize

    16.7MB

    Download

  • memory/1168-94-0x00007FFC56E90000-0x00007FFC57F40000-memory.dmp

    Filesize

    16.7MB

    Download

  • memory/1968-63-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1968-81-0x0000000005A60000-0x0000000006004000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1968-82-0x00000000054B0000-0x000000000554C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1968-102-0x00000000067A0000-0x00000000067F0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1968-103-0x00000000069C0000-0x0000000006B82000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1968-104-0x0000000006890000-0x0000000006922000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1968-105-0x0000000006830000-0x000000000683A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3732-16-0x0000028FF59C0000-0x0000028FF5A04000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3732-62-0x0000028FF5A10000-0x0000028FF5A1C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3732-15-0x0000028FF4BA0000-0x0000028FF4BC2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3732-60-0x0000028FF59B0000-0x0000028FF59BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3732-17-0x0000028FF5A90000-0x0000028FF5B06000-memory.dmp

    Filesize

    472KB

    Download