Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    31/08/2024, 01:46 UTC

General

  • Target

    2016pdf.exe

  • Size

    965KB

  • MD5

    e289bcf6d77230d7fdb4d8a0bf126723

  • SHA1

    70880bcc5a8ac31df2dc6aa2e03f8f73965f7812

  • SHA256

    98c08e97f88fd09e81a8dc3e3234f89ceed282048a4275c7a2f1b9bc116db41f

  • SHA512

    a7883c1644d143c4d8a6384e7b9d0eeaf9e8ce51c76b3c35f2daf89c04944d77be99af095b31f5a1ba46c8bd271f89aa20d963d4d6a61176cb040e01288395eb

  • SSDEEP

    24576:pQu+IperrOUj6k7ZqC30kKoreoQSQS4kHHDJ1VnmjSd/EG:pQyk7ZxlK5oAkDJ1ZYSds

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Detected Nirsoft tools 10 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 7 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 6 IoCs

    Password recovery tool for various web browsers

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2016pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\2016pdf.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CKMdCEEIZAPIeXJUdWYAR.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CKMdCEEIZAPIeXJUdWYAR.exe gYdCdIeaUTRhGRagFgD
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        - vbc
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1840
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:2644
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:820

Network

  • flag-us
    DNS
    whatismyipaddress.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    whatismyipaddress.com
    IN A
    Response
    whatismyipaddress.com
    IN A
    104.19.222.79
    whatismyipaddress.com
    IN A
    104.19.223.79
  • flag-us
    GET
    http://whatismyipaddress.com/
    RegAsm.exe
    Remote address:
    104.19.222.79:80
    Request
    GET / HTTP/1.1
    Host: whatismyipaddress.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 31 Aug 2024 01:46:31 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sat, 31 Aug 2024 02:46:31 GMT
    Location: https://whatismyipaddress.com/
    Set-Cookie: __cf_bm=wHl5GJSWt5WEcydAGDBVo8DBZ4UYz5Q7oI36Qcu2.Bo-1725068791-1.0.1.1-UBZDqWOV6nGNEo3X6_dBcQ65BvYXnukmyxJZr8UKs9xp25HrTchKQcjRW0gk3a6EVrZf5Tj0BvxB3mD.Iz3Vhg; path=/; expires=Sat, 31-Aug-24 02:16:31 GMT; domain=.whatismyipaddress.com; HttpOnly
    X-Frame-Options: deny
    Server: cloudflare
    CF-RAY: 8bb958ebfc0393f6-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    smtp.1and1.it
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    smtp.1and1.it
    IN A
    Response
    smtp.1and1.it
    IN A
    212.227.17.173
    smtp.1and1.it
    IN A
    212.227.17.189
  • 104.19.222.79:80
    http://whatismyipaddress.com/
    http
    RegAsm.exe
    399 B
    1.8kB
    7
    5

    HTTP Request

    GET http://whatismyipaddress.com/

    HTTP Response

    301
  • 104.19.222.79:443
    whatismyipaddress.com
    tls
    RegAsm.exe
    355 B
    219 B
    5
    5
  • 104.19.222.79:443
    whatismyipaddress.com
    tls
    RegAsm.exe
    355 B
    219 B
    5
    5
  • 212.227.17.173:587
    smtp.1and1.it
    smtp
    RegAsm.exe
    452 B
    507 B
    7
    8
  • 212.227.17.173:587
    smtp.1and1.it
    smtp
    RegAsm.exe
    600 B
    647 B
    10
    9
  • 8.8.8.8:53
    whatismyipaddress.com
    dns
    RegAsm.exe
    67 B
    99 B
    1
    1

    DNS Request

    whatismyipaddress.com

    DNS Response

    104.19.222.79
    104.19.223.79

  • 8.8.8.8:53
    smtp.1and1.it
    dns
    RegAsm.exe
    59 B
    91 B
    1
    1

    DNS Request

    smtp.1and1.it

    DNS Response

    212.227.17.173
    212.227.17.189

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IPNhDLAeKSic

    Filesize

    506KB

    MD5

    9d7857570d5fdf92e853c4c6cd65a81b

    SHA1

    472a8f79c31ea75738b2a07ada2fe10c4807ee93

    SHA256

    6134cd30e6e0d05553e771e263e8e7b24d71f086d87aa5a2f355e38101314536

    SHA512

    92918612b908fc6cf66070d9613f67d5fe8e56027bdc65ff1c491dbcccc445df98740c10ce9d2de4fa9234acdde86c3115f2aa7a8193273aa116f4104158c043

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gYdCdIeaUTRhGRagFgD

    Filesize

    38KB

    MD5

    a39dcb345904dddc0c776139b729a243

    SHA1

    db77b63486f0f05c6e14f746bfca7d93b93b0a2a

    SHA256

    c2a31f858f17c64b7a5bd5fe22943733a26d70a89b065aa5b894574eee3ec6b4

    SHA512

    a4d0869d0f90941022e88cd0a71be1b59a467865d437c8253eedbee73becbce56ddda1fd907a88187edad16f3137bf65e8440a02a5123b6d12f89c2ef81696b4

  • C:\Users\Admin\AppData\Local\Temp\holderwb.txt

    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\CKMdCEEIZAPIeXJUdWYAR.exe

    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

  • memory/820-53-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/820-47-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/820-46-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

  • memory/1840-42-0x0000000074842000-0x0000000074844000-memory.dmp

    Filesize

    8KB

  • memory/1840-45-0x0000000074840000-0x0000000074DEB000-memory.dmp

    Filesize

    5.7MB

  • memory/1840-30-0x0000000074842000-0x0000000074844000-memory.dmp

    Filesize

    8KB

  • memory/1840-20-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

  • memory/1840-28-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

  • memory/1840-39-0x0000000074840000-0x0000000074DEB000-memory.dmp

    Filesize

    5.7MB

  • memory/1840-27-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

  • memory/1840-21-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

  • memory/1840-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2384-41-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

  • memory/2384-19-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

  • memory/2644-44-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2644-40-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2644-36-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2644-38-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.