Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
43s -
max time network
109s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/09/2024, 21:13
Static task
static1
Behavioral task
behavioral1
Sample
bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe
Resource
win10v2004-20240802-en
General
-
Target
bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe
-
Size
1.1MB
-
MD5
d19e57cc9fadabb7d0b4d5f29afaab80
-
SHA1
f0678c2796dbf40a30fcc4e9d2455641bd83866d
-
SHA256
bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994a
-
SHA512
3f91e041a19d0316296244e58f04108cca4357e3b28785425fa24b3b9d5ce3b2ab26c2445c20b9719d9acd7920481c2a19597897fd6a69894f5cac58526b8c7a
-
SSDEEP
24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8a+gLAAB8CeF:sTvC/MTQYxsWR7a+gLAAte
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7505197168:AAH44rUOfgM2A0VfpI637HSQjCH00DQZX48/sendMessage?chat_id=875935923
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 33 IoCs
resource yara_rule behavioral1/memory/1792-49-0x00000000003B0000-0x00000000003EA000-memory.dmp family_snakekeylogger behavioral1/memory/1792-52-0x0000000000450000-0x0000000000488000-memory.dmp family_snakekeylogger behavioral1/memory/1792-62-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-56-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-64-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-68-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-70-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-76-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-74-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-72-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-60-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-58-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-66-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-54-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-53-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-79-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-86-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-112-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-111-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-108-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-106-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-105-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-102-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-100-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-98-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-97-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-94-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-93-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-90-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-88-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-84-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-82-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger behavioral1/memory/1792-80-0x0000000000450000-0x0000000000483000-memory.dmp family_snakekeylogger -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 2 IoCs
pid Process 1808 name.exe 936 name.exe -
Loads dropped DLL 2 IoCs
pid Process 1568 bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe 1808 name.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000018ddd-12.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 936 set thread context of 1792 936 name.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1792 RegSvcs.exe 1792 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1808 name.exe 936 name.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1792 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 1568 bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe 1568 bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe 1808 name.exe 1808 name.exe 936 name.exe 936 name.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 1568 bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe 1568 bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe 1808 name.exe 1808 name.exe 936 name.exe 936 name.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1568 wrote to memory of 1808 1568 bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe 29 PID 1568 wrote to memory of 1808 1568 bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe 29 PID 1568 wrote to memory of 1808 1568 bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe 29 PID 1568 wrote to memory of 1808 1568 bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe 29 PID 1808 wrote to memory of 2384 1808 name.exe 30 PID 1808 wrote to memory of 2384 1808 name.exe 30 PID 1808 wrote to memory of 2384 1808 name.exe 30 PID 1808 wrote to memory of 2384 1808 name.exe 30 PID 1808 wrote to memory of 2384 1808 name.exe 30 PID 1808 wrote to memory of 2384 1808 name.exe 30 PID 1808 wrote to memory of 2384 1808 name.exe 30 PID 1808 wrote to memory of 936 1808 name.exe 31 PID 1808 wrote to memory of 936 1808 name.exe 31 PID 1808 wrote to memory of 936 1808 name.exe 31 PID 1808 wrote to memory of 936 1808 name.exe 31 PID 936 wrote to memory of 1792 936 name.exe 32 PID 936 wrote to memory of 1792 936 name.exe 32 PID 936 wrote to memory of 1792 936 name.exe 32 PID 936 wrote to memory of 1792 936 name.exe 32 PID 936 wrote to memory of 1792 936 name.exe 32 PID 936 wrote to memory of 1792 936 name.exe 32 PID 936 wrote to memory of 1792 936 name.exe 32 PID 936 wrote to memory of 1792 936 name.exe 32 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe"C:\Users\Admin\AppData\Local\Temp\bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN.exe"3⤵PID:2384
-
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\directory\name.exe"4⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1792
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD591da3c3d3cd9fd67bbbd17db9c57467c
SHA10ffe669c2c984050f576c076cc27091583eb6686
SHA256d5d27e7780a26378292416db6dbcc4a4da9b1045cb439390f8d16ac16fd64882
SHA512dc833d12d727132f11a6bff5036fa07eb1a61f72a7441c3d050889022fdeaef9d7ec5b270bcf28aa5a1fcbf3625f0c5689e0ad5aca211227fdb7241235d127ed
-
Filesize
220KB
MD5075149402cd417805cabacc1f6115a08
SHA1b11f6ccf9060deb2cc1537faa35220655402c29c
SHA256d8ffa9ec8b43ca64169281c35fcd2fcff79092e7d85b6a1b484987625fbdca7f
SHA512161af7724127b177e18a829f0a52e5a626530674d710d372ff883751f51e63e1f49b2e1c8d445194259790966e1f1b137ca21d43ed71e15b3eb686f20c0e5784
-
Filesize
14KB
MD57c9b7aea53440859ee01318eac3c0376
SHA16ee7b5f02a4e27d30099709c6f68e7a1528cf4b9
SHA2567a0a6218e77d4a6c01a9a12b13c99739474c8f0a93cc0cfee0bddabe21bf8ea3
SHA5122d6ee94c1c8103e500cf296f63afe8e5485b73a672451ed487082bbaf7312cb5adb4ba01921deadff48128c0ecd709301e9a34c52f4bdc707cda086d192ac4f4
-
Filesize
225KB
MD516744b21d6e5f442a008b478e11b7b1e
SHA18a4ce9c967effbfda3c505d43d0d2ebe68de9fe2
SHA256dfd48f30102a5244181c0bd462771ffcb4ad652a342aa019a5d021b71fda1f1a
SHA5123bcee61f1237419b8964f98965672595b10d57eb8d0dcc3b7941adba3f629d9e1818452380260bd1d5ff33ec34550efdafe3798880e95ff3c66be495e6973d1a
-
Filesize
1.1MB
MD5d19e57cc9fadabb7d0b4d5f29afaab80
SHA1f0678c2796dbf40a30fcc4e9d2455641bd83866d
SHA256bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994a
SHA5123f91e041a19d0316296244e58f04108cca4357e3b28785425fa24b3b9d5ce3b2ab26c2445c20b9719d9acd7920481c2a19597897fd6a69894f5cac58526b8c7a