Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cb1e4d0356...ad.exe

windows7-x64

10

cb1e4d0356...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 10:27 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe

  • Size

    543KB

  • MD5

    94127a1ca4898c0e04e79ecea0e05b50

  • SHA1

    ea69723e32956765d179fbe60cf2221d6d35c679

  • SHA256

    cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad

  • SHA512

    0a1739e0b3381fde73438e3bb7cf395233d0b19efb74c7c39fed3b5261128cec8d13eb925ca3de3ecbc1a274b524552b607068b2c5418deda615066f4a577257

  • SSDEEP

    12288:rOSf8bQbp898xpDVO0j/Zljlx91d1q9jt0p0oIR1PhY:rOIpTpDo0zvhT1d1q9jtQ1IRQ

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe
    "C:\Users\Admin\AppData\Local\Temp\cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1924
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LcTZHeZxiLw.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LcTZHeZxiLw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp512C.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2756
    • C:\Users\Admin\AppData\Local\Temp\cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe
      "C:\Users\Admin\AppData\Local\Temp\cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3064

Network

  • flag-us
    DNS
    checkip.dyndns.org
    cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    158.101.44.242
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    193.122.6.168
    checkip.dyndns.com
    IN A
    132.226.8.169
  • flag-us
    GET
    http://checkip.dyndns.org/
    cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe
    Remote address:
    158.101.44.242:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 10:28:06 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 67bea50317e00b421ef9097db1b722ec
  • flag-us
    GET
    http://checkip.dyndns.org/
    cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe
    Remote address:
    158.101.44.242:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 10:28:11 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 8ddcfb7c4ed711ce5dba2f7c5d6bed1d
  • flag-us
    GET
    http://checkip.dyndns.org/
    cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe
    Remote address:
    158.101.44.242:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 10:28:17 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: f69987c198c5eaca6846b2a46e68761c
  • flag-us
    GET
    http://checkip.dyndns.org/
    cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe
    Remote address:
    158.101.44.242:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 10:28:21 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 7a28c6d0bdbe57706869dba30667b68b
  • flag-us
    GET
    http://checkip.dyndns.org/
    cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe
    Remote address:
    158.101.44.242:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 10:28:25 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 00643359cb6d80375d003bda15596515
  • flag-us
    GET
    http://checkip.dyndns.org/
    cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe
    Remote address:
    158.101.44.242:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 10:28:27 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 7f77c6768e72bc6cc612848612cbe383
  • flag-us
    GET
    http://checkip.dyndns.org/
    cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe
    Remote address:
    158.101.44.242:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 10:28:30 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 3730ab29116bd4a99d5144b79d616bc2
  • flag-us
    GET
    http://checkip.dyndns.org/
    cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe
    Remote address:
    158.101.44.242:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 10:28:33 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 211cb3299ae58c99026b8aebb37ec1db
  • flag-us
    GET
    http://checkip.dyndns.org/
    cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe
    Remote address:
    158.101.44.242:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 10:28:36 GMT
    Content-Type: text/html
    Content-Length: 105
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 08cdae349085f44b24d1f57be2c83f1b
  • flag-us
    DNS
    reallyfreegeoip.org
    cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe
    Remote address:
    8.8.8.8:53
    Request
    reallyfreegeoip.org
    IN A
    Response
    reallyfreegeoip.org
    IN A
    104.21.67.152
    reallyfreegeoip.org
    IN A
    172.67.177.134
  • 158.101.44.242:80
    http://checkip.dyndns.org/
    http
    cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe
    2.2kB
     3.7kB
     23
    19

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 104.21.67.152:443
    reallyfreegeoip.org
    tls
    cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe
    2.1kB
     12.4kB
     23
    23
  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe
    64 B
     176 B
     1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    158.101.44.242
    193.122.130.0
    132.226.247.73
    193.122.6.168
    132.226.8.169

  • 8.8.8.8:53
    reallyfreegeoip.org
    dns
    cb1e4d0356aed5ebf2a071bb937acc7c5fed8188b2d3abbce27b6d0761b1a0ad.exe
    65 B
     97 B
     1
    1

    DNS Request

    reallyfreegeoip.org

    DNS Response

    104.21.67.152
    172.67.177.134

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp512C.tmp
    Filesize

    1KB

    MD5

    d13fcdcf37b8e612219281822b906f5b

    SHA1

    4d81f862a97689f4d49ea22a68a2458963a07ae1

    SHA256

    892c1b82e96260e1922f0e79f43a28fbcbbced580d67f3288f471507af63a157

    SHA512

    6deb5244aa3a06539fde15d69db9b9262139a546ee0542fe3d20ec12053d394b6494ca3696b6a242d31e64a122a9e8cd99f7fe142413a8965cbfa5567e3eed7e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    091e9a08601bc6890842c530e0d04c5c

    SHA1

    34e8ab4aa321bf5343536e40d1f2af60e2f917ac

    SHA256

    dd0a8fa533424c33413ea219fb3ee97c756bab9fceefe66568eb65041739d5ff

    SHA512

    f73c69060474cb11ba0c546a05f566e04f9325b708807b4d5f1235cdb8ca1e1e2c5df897d2550dcb83fb0394a876e089d07cfe8d6a61d445be657fbcb6408085

    Download Submit

  • memory/2652-4-0x0000000074140000-0x000000007482E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2652-3-0x00000000003D0000-0x00000000003E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2652-0-0x000000007414E000-0x000000007414F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-5-0x000000007414E000-0x000000007414F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-6-0x0000000074140000-0x000000007482E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2652-7-0x00000000054D0000-0x0000000005538000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2652-2-0x0000000074140000-0x000000007482E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2652-1-0x0000000001380000-0x000000000140E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/2652-32-0x0000000074140000-0x000000007482E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3064-31-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3064-30-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3064-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3064-26-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3064-24-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3064-22-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3064-20-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3064-29-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.