Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2024, 15:38
Static task
static1
Behavioral task
behavioral1
Sample
9c9076bf7875c42873d4f1e05e11717b9313bfbb5cd947de24b59f8dda320d8bN.exe
Resource
win7-20240903-en
General
-
Target
9c9076bf7875c42873d4f1e05e11717b9313bfbb5cd947de24b59f8dda320d8bN.exe
-
Size
520KB
-
MD5
9a0ded7bd7eb2b4924980415aa0d91e0
-
SHA1
ba0be5ce193aeadcc66c5aa766644b093b5d369b
-
SHA256
9c9076bf7875c42873d4f1e05e11717b9313bfbb5cd947de24b59f8dda320d8b
-
SHA512
1be673310a0cbbf0d1f3187998aae3820e8fa23030b26e7bc40f74f8419c67b6b2b5ee01b53d6c6c8aa2be2e417f9c466d7333344171775f3b1fa5f043c7aae0
-
SSDEEP
6144:Euuqk0fhubS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnxE:vhuQtqB5urTIoYWBQk1E+VF9mOx9Ni
Malware Config
Extracted
Protocol: ftp- Host:
panel.freehosting.com - Port:
21 - Username:
modicala - Password:
e1tyrE419W
Signatures
-
Detected Nirsoft tools 9 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/files/0x0008000000023cc5-9.dat Nirsoft behavioral2/memory/1832-25-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1832-27-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1832-28-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/1832-31-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4388-34-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4388-36-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4388-37-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/4388-45-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/files/0x0008000000023cc5-9.dat MailPassView behavioral2/memory/1832-25-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1832-27-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1832-28-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/1832-31-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x0008000000023cc5-9.dat WebBrowserPassView behavioral2/memory/4388-34-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4388-36-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4388-37-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/4388-45-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 9c9076bf7875c42873d4f1e05e11717b9313bfbb5cd947de24b59f8dda320d8bN.exe -
Deletes itself 1 IoCs
pid Process 1456 Windows Update.exe -
Executes dropped EXE 1 IoCs
pid Process 1456 Windows Update.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 whatismyipaddress.com 25 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1456 set thread context of 1832 1456 Windows Update.exe 94 PID 1456 set thread context of 4388 1456 Windows Update.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9c9076bf7875c42873d4f1e05e11717b9313bfbb5cd947de24b59f8dda320d8bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe 1456 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1456 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1456 Windows Update.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1040 wrote to memory of 1456 1040 9c9076bf7875c42873d4f1e05e11717b9313bfbb5cd947de24b59f8dda320d8bN.exe 87 PID 1040 wrote to memory of 1456 1040 9c9076bf7875c42873d4f1e05e11717b9313bfbb5cd947de24b59f8dda320d8bN.exe 87 PID 1040 wrote to memory of 1456 1040 9c9076bf7875c42873d4f1e05e11717b9313bfbb5cd947de24b59f8dda320d8bN.exe 87 PID 1456 wrote to memory of 1832 1456 Windows Update.exe 94 PID 1456 wrote to memory of 1832 1456 Windows Update.exe 94 PID 1456 wrote to memory of 1832 1456 Windows Update.exe 94 PID 1456 wrote to memory of 1832 1456 Windows Update.exe 94 PID 1456 wrote to memory of 1832 1456 Windows Update.exe 94 PID 1456 wrote to memory of 1832 1456 Windows Update.exe 94 PID 1456 wrote to memory of 1832 1456 Windows Update.exe 94 PID 1456 wrote to memory of 1832 1456 Windows Update.exe 94 PID 1456 wrote to memory of 1832 1456 Windows Update.exe 94 PID 1456 wrote to memory of 4388 1456 Windows Update.exe 102 PID 1456 wrote to memory of 4388 1456 Windows Update.exe 102 PID 1456 wrote to memory of 4388 1456 Windows Update.exe 102 PID 1456 wrote to memory of 4388 1456 Windows Update.exe 102 PID 1456 wrote to memory of 4388 1456 Windows Update.exe 102 PID 1456 wrote to memory of 4388 1456 Windows Update.exe 102 PID 1456 wrote to memory of 4388 1456 Windows Update.exe 102 PID 1456 wrote to memory of 4388 1456 Windows Update.exe 102 PID 1456 wrote to memory of 4388 1456 Windows Update.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c9076bf7875c42873d4f1e05e11717b9313bfbb5cd947de24b59f8dda320d8bN.exe"C:\Users\Admin\AppData\Local\Temp\9c9076bf7875c42873d4f1e05e11717b9313bfbb5cd947de24b59f8dda320d8bN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1832
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
- System Location Discovery: System Language Discovery
PID:4388
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
103B
MD580c074a64b8e3094867f890cef93ccf7
SHA15c074c927118e86a45b6e09dd95eb037fcd62780
SHA256c537cae98210bfc7ca0393147138f5fcb87419b817b65c793618d867d1385cbf
SHA512a4e5331542b4746aade7e3dd42bdb6a94eb7e2fa3cbdf9b2c0e1a77ed56e50b6826b0f624491ca2a9a5afd363c508d7a1b1aaed085bbfba209c25ad532167be1
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
Filesize
520KB
MD59a0ded7bd7eb2b4924980415aa0d91e0
SHA1ba0be5ce193aeadcc66c5aa766644b093b5d369b
SHA2569c9076bf7875c42873d4f1e05e11717b9313bfbb5cd947de24b59f8dda320d8b
SHA5121be673310a0cbbf0d1f3187998aae3820e8fa23030b26e7bc40f74f8419c67b6b2b5ee01b53d6c6c8aa2be2e417f9c466d7333344171775f3b1fa5f043c7aae0