Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 19:18

General

  • Target

    UniversalRecoilV2.exe

  • Size

    6.7MB

  • MD5

    d8e739ca8627a709dbd025c95eec3c09

  • SHA1

    cb0d1baefa7b97e355e16b1bbfa418334c579e80

  • SHA256

    6d97acf787fc0571e81d0c82c301f91005523246319a2b17eb9db765e754ad89

  • SHA512

    85bbb0e0c2059d9a141edf49102d43aef55ffab458f52f7bb755bd434499629a936fa39c3ec8d60e289232ab4abe2cdf1ffd55b59d914e18d62a2114a5006ebf

  • SSDEEP

    196608:6aLfVOixPlm+6Q9JqjodWfeNSkfoIKtAINPsbET9iorQ:NLXlm+6vjLGybNEbET9Z

Malware Config

Extracted

Family

stealc

Botnet

game

C2

http://193.233.112.44

Attributes
  • url_path

    /383ccd496f3c5eee.php

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe
    "C:\Users\Admin\AppData\Local\Temp\UniversalRecoilV2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Users\Admin\AppData\Roaming\gWsmPty.exe
      "C:\Users\Admin\AppData\Roaming\gWsmPty.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 884
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:3068
    • C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
      "C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1364
    • C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe
      "C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\UniversalRecoilV2.exe

    Filesize

    3.2MB

    MD5

    acf8907ce64638007fb5514265812c67

    SHA1

    daa5404df21afc0cbfc126b9544fa68f3833e3f8

    SHA256

    9fe5fb74600e204a4739a0ed262f16ab6c7eb9f970f61d6315a8e5010f9bc3d4

    SHA512

    aa7478af047621b9f6d828356a20905f46a520cf364bc639ff0c21b5e9ae8eb29d5edcb2dd00c4dc327ca5348868d754c7068aff132d27d21e606e3ff821f9b6

  • C:\Users\Admin\AppData\Roaming\VC_redistx64.exe

    Filesize

    2.9MB

    MD5

    507acc8f3249adef7468989fee931211

    SHA1

    4d66286973a21e76b0e2c746bac00fa28d446ca9

    SHA256

    6abb77dce6d4af42005e673cb089b6d41e0ef0b88a6411f4d5dfd8e8b4858154

    SHA512

    2faee963523b401bf1e588c86bfeef899067456f22848d299525acde5d2ce28a66f769d741deea2e6b218b4e1b0c0f7f4cc08cfc1c2fd8eac5375b3c183b7ee3

  • C:\Users\Admin\AppData\Roaming\gWsmPty.exe

    Filesize

    322KB

    MD5

    c57f035e099bfe7f8d56917a22266dc9

    SHA1

    88a4ab3cef2b3d293b6d94b8d5b38298d1ec6d87

    SHA256

    d075bbba29912ff7a321ee5dcb32159b9de8e27e716a1aad9ed52bb9d9ccc4a3

    SHA512

    836f345be084eeaef97144faa845a697f3c40a5f643088ee355d71cbedac23506c4d53267220bfa467872e850faebbc5a3919fbeb5628534619d39fbcbf1e1e4

  • memory/1364-21-0x0000000000400000-0x0000000000B78000-memory.dmp

    Filesize

    7.5MB

  • memory/1364-24-0x0000000000400000-0x0000000000B78000-memory.dmp

    Filesize

    7.5MB

  • memory/1364-31-0x0000000000400000-0x0000000000B78000-memory.dmp

    Filesize

    7.5MB

  • memory/1364-22-0x00000000779E0000-0x00000000779E2000-memory.dmp

    Filesize

    8KB

  • memory/1364-23-0x0000000000400000-0x0000000000B78000-memory.dmp

    Filesize

    7.5MB

  • memory/2188-0-0x000007FEF6853000-0x000007FEF6854000-memory.dmp

    Filesize

    4KB

  • memory/2188-4-0x000000001BAC0000-0x000000001C154000-memory.dmp

    Filesize

    6.6MB

  • memory/2188-2-0x0000000000140000-0x0000000000146000-memory.dmp

    Filesize

    24KB

  • memory/2188-1-0x0000000001350000-0x0000000001A0A000-memory.dmp

    Filesize

    6.7MB

  • memory/2188-3-0x000007FEF6850000-0x000007FEF723C000-memory.dmp

    Filesize

    9.9MB

  • memory/2188-28-0x000007FEF6850000-0x000007FEF723C000-memory.dmp

    Filesize

    9.9MB

  • memory/2188-5-0x0000000000150000-0x0000000000156000-memory.dmp

    Filesize

    24KB

  • memory/2608-30-0x00000000002E0000-0x0000000000632000-memory.dmp

    Filesize

    3.3MB

  • memory/2860-15-0x0000000000B00000-0x0000000000D63000-memory.dmp

    Filesize

    2.4MB

  • memory/2860-42-0x0000000000B00000-0x0000000000D63000-memory.dmp

    Filesize

    2.4MB