Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

toolinfo.exe

windows7-x64

10

toolinfo.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    40s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/09/2024, 14:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    toolinfo.exe

  • Size

    175KB

  • MD5

    56085bbed1d6ab185bcf0517d97d1b79

  • SHA1

    2b656acb110e339a3aaadf7bc72b88a425b2cd9d

  • SHA256

    52a5a1066a27d5d8fd821f3465ad0fb923de343a385a22c50b0314c610f5f888

  • SHA512

    4c214cfe82da0a55773b1eff38487314a7b8378b0a864ab9bab79132f0918c84b74b05099abded855fcc72fbd2cdfd2e9fa86089840c614014171d429a8b4e1e

  • SSDEEP

    3072:ae8oX8Sb5KcXrtkkXmf/bDsvqtU+lLToChAP0UZ0b2gTCwAqE+Wpor:bXtb5KcXr7XmfgqtjhAxZ0b2r

Score
10/10
asyncratstormkittydefaultcredential_accessdiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7501791879:AAEoWKncu4Ny3OehQpAolbAkBYy7c0_UhCo/sendMessage?chat_id=6327080418
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
VIfxfqryUTyZUBGDCBAvbYVYIsexIM7Z

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 7 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\toolinfo.exe
    "C:\Users\Admin\AppData\Local\Temp\toolinfo.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Wi-Fi Discovery
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
        • System Location Discovery: System Language Discovery
        PID:852
      • C:\Windows\SysWOW64\netsh.exe
        netsh wlan show profile
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        PID:1388
      • C:\Windows\SysWOW64\findstr.exe
        findstr All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:316
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2188
      • C:\Windows\SysWOW64\netsh.exe
        netsh wlan show networks mode=bssid
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1816

Network

  • flag-us
    DNS
    icanhazip.com
    toolinfo.exe
    Remote address:
    8.8.8.8:53
    Request
    icanhazip.com
    IN A
    Response
    icanhazip.com
    IN A
    104.16.184.241
    icanhazip.com
    IN A
    104.16.185.241
  • flag-us
    GET
    http://icanhazip.com/
    toolinfo.exe
    Remote address:
    104.16.184.241:80
    Request
    GET / HTTP/1.1
    Host: icanhazip.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 14 Sep 2024 14:54:29 GMT
    Content-Type: text/plain
    Content-Length: 14
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET
    Set-Cookie: __cf_bm=tqmBaXLDsp8LupfQiGEWzR6uUUDLPk_aCz38pHlOcNw-1726325669-1.0.1.1-C.XklfrdDwylG5UG3MdgR2CDPWwFD91VKmHIXX.waCNVs61ieWrt8mBmL.OGCaOb6LguXNYVvCFtbf2RjA8ddA; path=/; expires=Sat, 14-Sep-24 15:24:29 GMT; domain=.icanhazip.com; HttpOnly
    Server: cloudflare
    CF-RAY: 8c313667a86593e1-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    api.mylnikov.org
    toolinfo.exe
    Remote address:
    8.8.8.8:53
    Request
    api.mylnikov.org
    IN A
    Response
    api.mylnikov.org
    IN A
    104.21.44.66
    api.mylnikov.org
    IN A
    172.67.196.114
  • flag-us
    GET
    https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=0e:ca:3f:e3:c2:84
    toolinfo.exe
    Remote address:
    104.21.44.66:443
    Request
    GET /geolocation/wifi?v=1.1&bssid=0e:ca:3f:e3:c2:84 HTTP/1.1
    Host: api.mylnikov.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 14 Sep 2024 14:54:29 GMT
    Content-Type: application/json; charset=utf8
    Content-Length: 88
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Cache-Control: max-age=2678400
    CF-Cache-Status: MISS
    Last-Modified: Sat, 14 Sep 2024 14:54:29 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jHXwrJflttpzVi2xOoY5fcFnuqh7SdnxDbmEsQ7n7lcP8pdRtw4OSMPxnmSAsovSoTQ0Pc1ydEPrA4YIhLurwMyWhTXbZ9lqtPdwrh76Afcu%2FmUpnIZUZWULZIGP%2F6s%2BuyWM"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Strict-Transport-Security: max-age=0; preload
    X-Content-Type-Options: nosniff
    Server: cloudflare
    CF-RAY: 8c31366a5ef27300-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    api.telegram.org
    toolinfo.exe
    Remote address:
    8.8.8.8:53
    Request
    api.telegram.org
    IN A
    Response
    api.telegram.org
    IN A
    149.154.167.220
  • 104.16.184.241:80
    http://icanhazip.com/
    http
    toolinfo.exe
    247 B
     668 B
     4
    3

    HTTP Request

    GET http://icanhazip.com/

    HTTP Response

    200
  • 104.21.44.66:443
    https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=0e:ca:3f:e3:c2:84
    tls, http
    toolinfo.exe
    787 B
     5.0kB
     8
    9

    HTTP Request

    GET https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=0e:ca:3f:e3:c2:84

    HTTP Response

    200
  • 149.154.167.220:443
    api.telegram.org
    tls
    toolinfo.exe
    388 B
     219 B
     5
    5
  • 149.154.167.220:443
    api.telegram.org
    tls
    toolinfo.exe
    388 B
     219 B
     5
    5
  • 127.0.0.1:6606
    toolinfo.exe
  • 127.0.0.1:7707
    toolinfo.exe
  • 127.0.0.1:7707
    toolinfo.exe
  • 127.0.0.1:8808
    toolinfo.exe
  • 127.0.0.1:6606
    toolinfo.exe
  • 8.8.8.8:53
    icanhazip.com
    dns
    toolinfo.exe
    59 B
     91 B
     1
    1

    DNS Request

    icanhazip.com

    DNS Response

    104.16.184.241
    104.16.185.241

  • 8.8.8.8:53
    api.mylnikov.org
    dns
    toolinfo.exe
    62 B
     94 B
     1
    1

    DNS Request

    api.mylnikov.org

    DNS Response

    104.21.44.66
    172.67.196.114

  • 8.8.8.8:53
    api.telegram.org
    dns
    toolinfo.exe
    62 B
     78 B
     1
    1

    DNS Request

    api.telegram.org

    DNS Response

    149.154.167.220

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\3128467ea10da0e6c2a01ab2fae2ff31\msgid.dat
    Filesize

    1B

    MD5

    cfcd208495d565ef66e7dff9f98764da

    SHA1

    b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

    SHA256

    5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

    SHA512

    31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

    Download Submit

  • memory/2092-0-0x0000000074E5E000-0x0000000074E5F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2092-1-0x0000000000080000-0x00000000000B2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2092-2-0x0000000074E50000-0x000000007553E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2092-73-0x0000000074E50000-0x000000007553E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2092-77-0x0000000074E5E000-0x0000000074E5F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2092-78-0x0000000074E50000-0x000000007553E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2092-84-0x0000000074E50000-0x000000007553E000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.