Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 15:01
Static task
static1
Behavioral task
behavioral1
Sample
Qaovmgmn.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Qaovmgmn.exe
Resource
win10v2004-20241007-en
General
-
Target
Qaovmgmn.exe
-
Size
1.1MB
-
MD5
2fcc31707bfa6f3b9a82ef482e81f08f
-
SHA1
f820b95c7e9d10d951c3d48c2b491b64ed274534
-
SHA256
6d56700e490fbb082d3ff3fbde1bdb8404c0dd033e05a0e6b63d649bb06b03c0
-
SHA512
1cfa47e1a602467386b11f86a67252046cad119f378c2f09362efe60c7a9ce8e6ba26dd452d87e9dd6f7c1de00682a986495f4ec3708c15440441592a65fcbb9
-
SSDEEP
24576:Pt4rexG2D35fmUw5UpCZI3M3xr7KT8LwcCouwvxA688j:V4rexG2D3nw6pCZyMhvKrrTQxAl8j
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7733918918:AAEtGoUvhJXT-4wtbogjQ__0KDlSf2pw6MQ/sendMessage?chat_id=7969902771
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/5428-1095-0x0000000140000000-0x0000000140024000-memory.dmp family_snakekeylogger -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1968 created 3512 1968 Qaovmgmn.exe 56 -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsAbstract.vbs Qaovmgmn.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1968 set thread context of 5428 1968 Qaovmgmn.exe 84 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1968 Qaovmgmn.exe 5428 MSBuild.exe 5428 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1968 Qaovmgmn.exe Token: SeDebugPrivilege 1968 Qaovmgmn.exe Token: SeDebugPrivilege 5428 MSBuild.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1968 wrote to memory of 5428 1968 Qaovmgmn.exe 84 PID 1968 wrote to memory of 5428 1968 Qaovmgmn.exe 84 PID 1968 wrote to memory of 5428 1968 Qaovmgmn.exe 84 PID 1968 wrote to memory of 5428 1968 Qaovmgmn.exe 84 PID 1968 wrote to memory of 5428 1968 Qaovmgmn.exe 84 PID 1968 wrote to memory of 5428 1968 Qaovmgmn.exe 84 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\Qaovmgmn.exe"C:\Users\Admin\AppData\Local\Temp\Qaovmgmn.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5428
-