Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 13:53
Static task
static1
Behavioral task
behavioral1
Sample
96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe
Resource
win10v2004-20240802-en
General
-
Target
96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe
-
Size
1.1MB
-
MD5
8ab89c59c8fda81159ae27eaf35dd684
-
SHA1
aaadcdafc21a5f2a4a22e679ec87125928e299bd
-
SHA256
96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419
-
SHA512
9af7f0b9a3209f296bdec04ddbc41cc7ecd5ae4136e13e64ec1025d5acebbe04040f243cfd5098ce87acb58ac4e50d322d53a448a05fcfc3f293ae00967b2f41
-
SSDEEP
24576:hqDEvCTbMWu7rQYlBQcBiT6rprG8azSFN:hTvC/MTQYxsWR7azSF
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendMessage?chat_id=6443825857
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbs incalculability.exe -
Executes dropped EXE 1 IoCs
pid Process 2952 incalculability.exe -
Loads dropped DLL 1 IoCs
pid Process 1316 96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000e000000018660-13.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2952 set thread context of 852 2952 incalculability.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language incalculability.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 852 svchost.exe 852 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2952 incalculability.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 852 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1316 96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe 1316 96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe 2952 incalculability.exe 2952 incalculability.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1316 96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe 1316 96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe 2952 incalculability.exe 2952 incalculability.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1316 wrote to memory of 2952 1316 96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe 31 PID 1316 wrote to memory of 2952 1316 96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe 31 PID 1316 wrote to memory of 2952 1316 96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe 31 PID 1316 wrote to memory of 2952 1316 96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe 31 PID 2952 wrote to memory of 852 2952 incalculability.exe 32 PID 2952 wrote to memory of 852 2952 incalculability.exe 32 PID 2952 wrote to memory of 852 2952 incalculability.exe 32 PID 2952 wrote to memory of 852 2952 incalculability.exe 32 PID 2952 wrote to memory of 852 2952 incalculability.exe 32 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe"C:\Users\Admin\AppData\Local\Temp\96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Local\beeish\incalculability.exe"C:\Users\Admin\AppData\Local\Temp\96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\96b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:852
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD58620c48ba6cc6f917c1e936ad5aadd4e
SHA11a39b6df5478ad016a7c64e76ef0847a6f97fc75
SHA25628b602e4ca07ca182e9a945542d48e4b5ed6fee09933fbd66180fb4aed439c73
SHA51290f60bc95532c5837e67ae26bd2fbc6da6f670dc68e432e7c629bb9bfe5e8bb31d03482163902039194a596d3ffb74b474adae8e46a9fe4a9bfb847363bf07ce
-
Filesize
1.1MB
MD58ab89c59c8fda81159ae27eaf35dd684
SHA1aaadcdafc21a5f2a4a22e679ec87125928e299bd
SHA25696b4dc68d491b25769c36f74ad0403c1e775cd4c02b7859941267f40d1834419
SHA5129af7f0b9a3209f296bdec04ddbc41cc7ecd5ae4136e13e64ec1025d5acebbe04040f243cfd5098ce87acb58ac4e50d322d53a448a05fcfc3f293ae00967b2f41