Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10/10/2024, 02:15
Static task
static1
Behavioral task
behavioral1
Sample
c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe
Resource
win10v2004-20241007-en
General
-
Target
c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe
-
Size
1.2MB
-
MD5
c70b9019ad3bef9b820d658aa8cde813
-
SHA1
3863990d0e827fa3487ae4a5aab5c7162b7565f3
-
SHA256
c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154
-
SHA512
1e3d180d7ba5a8f9e0a47b2d3ed81d28b9d773120171ee0b22d49b055c2307dddf279080f474a28ffd889084afc7270be873d1f52c235068f0253f1a0330d62e
-
SSDEEP
24576:GAHnh+eWsN3skA4RV1Hom2KXMmHav571Umq1sNso5:hh+ZkldoPK8YahhZq29
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7453999531:AAHcCXOdvbDJaILEpGPNgNPm4mcYsRwgAYI/sendMessage?chat_id=6200738063
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 1 IoCs
pid Process 1320 name.exe -
Loads dropped DLL 1 IoCs
pid Process 1660 c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000015d4c-7.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1320 set thread context of 2360 1320 name.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2360 RegSvcs.exe 2360 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1320 name.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2360 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1660 c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe 1660 c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe 1320 name.exe 1320 name.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1660 c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe 1660 c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe 1320 name.exe 1320 name.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1660 wrote to memory of 1320 1660 c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe 28 PID 1660 wrote to memory of 1320 1660 c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe 28 PID 1660 wrote to memory of 1320 1660 c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe 28 PID 1660 wrote to memory of 1320 1660 c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe 28 PID 1320 wrote to memory of 2360 1320 name.exe 29 PID 1320 wrote to memory of 2360 1320 name.exe 29 PID 1320 wrote to memory of 2360 1320 name.exe 29 PID 1320 wrote to memory of 2360 1320 name.exe 29 PID 1320 wrote to memory of 2360 1320 name.exe 29 PID 1320 wrote to memory of 2360 1320 name.exe 29 PID 1320 wrote to memory of 2360 1320 name.exe 29 PID 1320 wrote to memory of 2360 1320 name.exe 29 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe"C:\Users\Admin\AppData\Local\Temp\c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2360
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5c70b9019ad3bef9b820d658aa8cde813
SHA13863990d0e827fa3487ae4a5aab5c7162b7565f3
SHA256c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154
SHA5121e3d180d7ba5a8f9e0a47b2d3ed81d28b9d773120171ee0b22d49b055c2307dddf279080f474a28ffd889084afc7270be873d1f52c235068f0253f1a0330d62e