Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 14:17
Static task
static1
Behavioral task
behavioral1
Sample
086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3N.exe
Resource
win10v2004-20240802-en
General
-
Target
086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3N.exe
-
Size
1.2MB
-
MD5
6ca29909e46edb344d8faf000704d560
-
SHA1
f86094f2a1e614c130987faa8c1f2ac018eb0860
-
SHA256
086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3
-
SHA512
1efb7bcbd44d45b2be9cac6961d1092d27b1c51aa3999df030bf0c05c57d1055585f47eb82c159bdc8d48bd0acdf9b377122f3bca8df78a46000d9e22c84f882
-
SSDEEP
24576:shntGx9yVf41ob4s6ABttGZOATIZXTnR1a3W:stGZ1oEEbG8xXja3W
Malware Config
Extracted
Protocol: smtp- Host:
smtp.zoho.com - Port:
587 - Username:
[email protected] - Password:
Diego1986
Signatures
-
Detected Nirsoft tools 6 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/4816-38-0x0000000000900000-0x0000000000984000-memory.dmp Nirsoft behavioral2/memory/4816-40-0x0000000000900000-0x0000000000984000-memory.dmp Nirsoft behavioral2/memory/4816-39-0x0000000000900000-0x0000000000984000-memory.dmp Nirsoft behavioral2/memory/4460-51-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4460-50-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4460-53-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4816-38-0x0000000000900000-0x0000000000984000-memory.dmp MailPassView behavioral2/memory/4816-40-0x0000000000900000-0x0000000000984000-memory.dmp MailPassView behavioral2/memory/4816-39-0x0000000000900000-0x0000000000984000-memory.dmp MailPassView behavioral2/memory/4460-51-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4460-50-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4460-53-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/4816-38-0x0000000000900000-0x0000000000984000-memory.dmp WebBrowserPassView behavioral2/memory/4816-40-0x0000000000900000-0x0000000000984000-memory.dmp WebBrowserPassView behavioral2/memory/4816-39-0x0000000000900000-0x0000000000984000-memory.dmp WebBrowserPassView -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation 086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3N.exe -
Executes dropped EXE 2 IoCs
pid Process 1292 magert.exe 4816 magert.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\Music\\magert.exe" 086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3N.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 45 whatismyipaddress.com 47 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1292 set thread context of 4816 1292 magert.exe 92 PID 4816 set thread context of 4460 4816 magert.exe 93 PID 4816 set thread context of 3744 4816 magert.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1108 3744 WerFault.exe 94 436 3744 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language magert.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language magert.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1676 086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3N.exe 1676 086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3N.exe 1676 086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3N.exe 1676 086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3N.exe 1676 086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3N.exe 1676 086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3N.exe 1292 magert.exe 1292 magert.exe 1292 magert.exe 1292 magert.exe 1292 magert.exe 1292 magert.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1676 086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3N.exe Token: SeDebugPrivilege 1292 magert.exe Token: SeDebugPrivilege 4816 magert.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4816 magert.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1676 wrote to memory of 1292 1676 086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3N.exe 89 PID 1676 wrote to memory of 1292 1676 086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3N.exe 89 PID 1676 wrote to memory of 1292 1676 086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3N.exe 89 PID 1292 wrote to memory of 4816 1292 magert.exe 92 PID 1292 wrote to memory of 4816 1292 magert.exe 92 PID 1292 wrote to memory of 4816 1292 magert.exe 92 PID 1292 wrote to memory of 4816 1292 magert.exe 92 PID 1292 wrote to memory of 4816 1292 magert.exe 92 PID 1292 wrote to memory of 4816 1292 magert.exe 92 PID 1292 wrote to memory of 4816 1292 magert.exe 92 PID 1292 wrote to memory of 4816 1292 magert.exe 92 PID 4816 wrote to memory of 4460 4816 magert.exe 93 PID 4816 wrote to memory of 4460 4816 magert.exe 93 PID 4816 wrote to memory of 4460 4816 magert.exe 93 PID 4816 wrote to memory of 4460 4816 magert.exe 93 PID 4816 wrote to memory of 4460 4816 magert.exe 93 PID 4816 wrote to memory of 4460 4816 magert.exe 93 PID 4816 wrote to memory of 4460 4816 magert.exe 93 PID 4816 wrote to memory of 4460 4816 magert.exe 93 PID 4816 wrote to memory of 4460 4816 magert.exe 93 PID 4816 wrote to memory of 3744 4816 magert.exe 94 PID 4816 wrote to memory of 3744 4816 magert.exe 94 PID 4816 wrote to memory of 3744 4816 magert.exe 94 PID 4816 wrote to memory of 3744 4816 magert.exe 94 PID 4816 wrote to memory of 3744 4816 magert.exe 94 PID 4816 wrote to memory of 3744 4816 magert.exe 94 PID 4816 wrote to memory of 3744 4816 magert.exe 94 PID 4816 wrote to memory of 3744 4816 magert.exe 94 PID 4816 wrote to memory of 3744 4816 magert.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3N.exe"C:\Users\Admin\AppData\Local\Temp\086bcac7feb7c41121c523b4ae6579fe6ee242614b1e9aea8ab624c6128dbff3N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\Music\magert.exe"C:\Users\Admin\Music\magert.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\Music\magert.exe"C:\Users\Admin\Music\magert.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:4460
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵PID:3744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 1845⤵
- Program crash
PID:1108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 2285⤵
- Program crash
PID:436
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3744 -ip 37441⤵PID:512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3744 -ip 37441⤵PID:3844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
526B
MD50b25f9f358a722369479cecdb0bfdfd4
SHA10e5e586dc2387f8492dc7bb8b9ba17cce90ba6fb
SHA25697e51099c3c8b24d92ae0f8c0241b3477e52127f0da5f89175c56abc202196c7
SHA5125f91fcd8822aa8e74566dc4b89af55e9f539aab19dc11cb450c13baa846e494b9f27954cce8626c867177b43e76be03a631c58e29be41b7bdad61576f5b8378b
-
Filesize
1.2MB
MD52f5cff1304088487406d2428a2bc46b4
SHA1777c4c7ea7f417a2f347d1cba681b2ecb49f3c94
SHA256bec51c54372f8c27b30d2269410ed9ea7f019a37ee42c06d041c62bdd071524b
SHA512b349eca484c9bcd826f4c4e88a8d1c7d5b904035b2821ef0eb6298c11fd77a90f919bfd2cac05f294626dad9f8a0f72eb4cced599d7fb8b3c92d2e48a44936d1