Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
63s -
max time network
65s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
09/10/2024, 03:32 UTC
General
-
Target
P984758.exe
-
Size
846KB
-
MD5
c5af54622602c908d5af6c3d8d7bdb09
-
SHA1
67fbbcaef7c841afc2af6cda2740b3f934cd9c15
-
SHA256
bbeac700ec88ce4b23f0bb5c996effc1586ef0e7802bc18695ecd3845a2a0022
-
SHA512
b1194332113c466ddfb55bf4f6f0dd6a04bc3ceeac9654a913d0ac38689a93fa08888b950af0a701cfb7490ca1c322fbebe77f281be27c2a2a05e78dfa3d8961
-
SSDEEP
24576:5vVPp9AR95STVO0NF64RWPOyvzQ6bnVOGeuo8:5vVPpKRSs0KBOybx
Score
10/10
Malware Config
Extracted
Family
snakekeylogger
Credentials
Protocol: smtp- Host:
smtp.fyontej.com - Port:
25 - Username:
mercy@fyontej.com - Password:
g#DXj@Ws8 - Email To:
mercy@fyontej.com
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\P984758.exe"C:\Users\Admin\AppData\Local\Temp\P984758.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOjqORarEZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp864F.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\P984758.exe"C:\Users\Admin\AppData\Local\Temp\P984758.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 15763⤵
- Program crash
-
-
Network
-
DNScheckip.dyndns.orgRemote address:8.8.8.8:53Requestcheckip.dyndns.orgIN AResponsecheckip.dyndns.orgIN CNAMEcheckip.dyndns.comcheckip.dyndns.comIN A193.122.6.168checkip.dyndns.comIN A158.101.44.242checkip.dyndns.comIN A132.226.8.169checkip.dyndns.comIN A193.122.130.0checkip.dyndns.comIN A132.226.247.73 -
GEThttp://checkip.dyndns.org/Remote address:193.122.6.168:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Wed, 09 Oct 2024 12:11:39 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 083c916f44f59f602d5bcd9c564a83d8
-
GEThttp://checkip.dyndns.org/Remote address:193.122.6.168:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Date: Wed, 09 Oct 2024 12:11:41 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: f084dd07515511b7a1cd7002f7267fff
-
DNSfreegeoip.appRemote address:8.8.8.8:53Requestfreegeoip.appIN AResponsefreegeoip.appIN A172.67.160.84freegeoip.appIN A104.21.73.97
-
GEThttps://freegeoip.app/xml/138.199.29.44Remote address:172.67.160.84:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: freegeoip.app
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Date: Wed, 09 Oct 2024 12:11:44 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Wed, 09 Oct 2024 13:11:44 GMT
Location: https://ipbase.com/xml/138.199.29.44
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kqJsou2cYDn0EVZ4lx0gG3YAoIjr8tJLc14CXVgnEkh6mmSba2NVY50WWIkFzDrrMHJgLknvyLdJ%2FDQA63Ru4EIMzBcjPAvItt%2FHzyfXar8U7SLC8I%2B1AsJ5cqEUnCn1"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Speculation-Rules: "/cdn-cgi/speculation"
Server: cloudflare
CF-RAY: 8cfe4664b8f53854-LHR
-
DNSipbase.comRemote address:8.8.8.8:53Requestipbase.comIN AResponseipbase.comIN A172.67.209.71ipbase.comIN A104.21.85.189
-
GEThttps://ipbase.com/xml/138.199.29.44Remote address:172.67.209.71:443RequestGET /xml/138.199.29.44 HTTP/1.1
Host: ipbase.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Date: Wed, 09 Oct 2024 12:11:45 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Age: 0
Cache-Control: public,max-age=0,must-revalidate
Cache-Status: "Netlify Edge"; fwd=miss
Vary: Accept-Encoding
X-Nf-Request-Id: 01J9RK2F13JFF1WBRN3PD3EADQ
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VjxTWkjuWWkivotytenj1SAOzFp%2Fnfbq3xuizKb%2FbqVEokz988JKhJc1Mt8PIzA5Dw5gcvalbkBy9Z1DbDsfTF8Smb0AxiV5Zmsop%2Fi7ClvZkAL1Zu6pK%2FEFgVmE"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Speculation-Rules: "/cdn-cgi/speculation"
Server: cloudflare
CF-RAY: 8cfe46665a3b88bc-LHR
-
193.122.6.168:80http://checkip.dyndns.org/http
HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200 -
172.67.160.84:443https://freegeoip.app/xml/138.199.29.44tls, http
HTTP Request
GET https://freegeoip.app/xml/138.199.29.44HTTP Response
301 -
172.67.209.71:443https://ipbase.com/xml/138.199.29.44tls, http
HTTP Request
GET https://ipbase.com/xml/138.199.29.44HTTP Response
404
-
8.8.8.8:53checkip.dyndns.orgdns
DNS Request
checkip.dyndns.org
DNS Response
193.122.6.168158.101.44.242132.226.8.169193.122.130.0132.226.247.73
-
8.8.8.8:53freegeoip.appdns
DNS Request
freegeoip.app
DNS Response
172.67.160.84104.21.73.97
-
8.8.8.8:53ipbase.comdns
DNS Request
ipbase.com
DNS Response
172.67.209.71104.21.85.189
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c910689f3371420dcf5927af2a76fefe
SHA1b8bbc40552f7b034246ebf4d6fc7a0bab6aa6089
SHA2561a4476b272df32b9f5063abc177263b8c4b6b5e7166c986f136b08d713985561
SHA5123c387af3223dec1dcdcd755c87dc3c8e0fa29a9be917dbf458288b884d8d19644c1829c6032f5b2b65a5de5c1c18acfdca3c11f1a738d798de88c61e8f374e25
-
Filesize
4KB
-
Filesize
872KB
-
Filesize
6.9MB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
584KB
-
Filesize
152KB
-
Filesize
6.9MB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
6.9MB
-
Filesize
144KB
-
Filesize
4KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB