Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03/12/2024, 02:50
Static task
static1
Behavioral task
behavioral1
Sample
aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe
Resource
win10v2004-20241007-en
General
-
Target
aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe
-
Size
765KB
-
MD5
5205be9a501dae770c6e557b5fdaeebc
-
SHA1
a8a34796e05ac4ff1a0b92bdbbaedc01e8cedfa5
-
SHA256
aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331
-
SHA512
e7177c8f6562363751dedf374195ed0c59ba478530ba58e2428a62ba40fbae73c9dc9f55cdf8890779a9a848c53d6fedd7bdb9658e995df7331d8eea6a05170d
-
SSDEEP
12288:LXNrylgwbJqMBSlxaZmvB008Jz1vakTLAJnElBaSP6XQ2lfix4phRDiaZEAmD:MgwkMYxcmUzgkTL2FSPd2ExQhJ
Malware Config
Extracted
Protocol: smtp- Host:
mail.britishcrowncourt.net - Port:
587 - Username:
[email protected] - Password:
@Hustle007ky1
Signatures
-
Hawkeye family
-
Detected Nirsoft tools 11 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/1904-7-0x0000000000400000-0x0000000000494000-memory.dmp Nirsoft behavioral1/memory/1904-10-0x0000000000400000-0x0000000000494000-memory.dmp Nirsoft behavioral1/memory/1904-6-0x0000000000400000-0x0000000000494000-memory.dmp Nirsoft behavioral1/memory/1904-14-0x0000000000400000-0x0000000000494000-memory.dmp Nirsoft behavioral1/memory/1904-12-0x0000000000400000-0x0000000000494000-memory.dmp Nirsoft behavioral1/memory/1700-52-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1700-53-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1700-54-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2648-56-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2648-55-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2648-63-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
NirSoft MailPassView 8 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1904-7-0x0000000000400000-0x0000000000494000-memory.dmp MailPassView behavioral1/memory/1904-10-0x0000000000400000-0x0000000000494000-memory.dmp MailPassView behavioral1/memory/1904-6-0x0000000000400000-0x0000000000494000-memory.dmp MailPassView behavioral1/memory/1904-14-0x0000000000400000-0x0000000000494000-memory.dmp MailPassView behavioral1/memory/1904-12-0x0000000000400000-0x0000000000494000-memory.dmp MailPassView behavioral1/memory/1700-52-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1700-53-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1700-54-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 8 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1904-7-0x0000000000400000-0x0000000000494000-memory.dmp WebBrowserPassView behavioral1/memory/1904-10-0x0000000000400000-0x0000000000494000-memory.dmp WebBrowserPassView behavioral1/memory/1904-6-0x0000000000400000-0x0000000000494000-memory.dmp WebBrowserPassView behavioral1/memory/1904-14-0x0000000000400000-0x0000000000494000-memory.dmp WebBrowserPassView behavioral1/memory/1904-12-0x0000000000400000-0x0000000000494000-memory.dmp WebBrowserPassView behavioral1/memory/2648-56-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2648-55-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2648-63-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Executes dropped EXE 2 IoCs
pid Process 2708 Windows Update.exe 2788 Windows Update.exe -
Loads dropped DLL 2 IoCs
pid Process 1904 aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe 2708 Windows Update.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2360 set thread context of 1904 2360 aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe 31 PID 2708 set thread context of 2788 2708 Windows Update.exe 33 PID 2788 set thread context of 1700 2788 Windows Update.exe 35 PID 2788 set thread context of 2648 2788 Windows Update.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Update.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe 2788 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2788 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2788 Windows Update.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2360 wrote to memory of 1904 2360 aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe 31 PID 2360 wrote to memory of 1904 2360 aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe 31 PID 2360 wrote to memory of 1904 2360 aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe 31 PID 2360 wrote to memory of 1904 2360 aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe 31 PID 2360 wrote to memory of 1904 2360 aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe 31 PID 2360 wrote to memory of 1904 2360 aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe 31 PID 2360 wrote to memory of 1904 2360 aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe 31 PID 2360 wrote to memory of 1904 2360 aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe 31 PID 2360 wrote to memory of 1904 2360 aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe 31 PID 1904 wrote to memory of 2708 1904 aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe 32 PID 1904 wrote to memory of 2708 1904 aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe 32 PID 1904 wrote to memory of 2708 1904 aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe 32 PID 1904 wrote to memory of 2708 1904 aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe 32 PID 1904 wrote to memory of 2708 1904 aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe 32 PID 1904 wrote to memory of 2708 1904 aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe 32 PID 1904 wrote to memory of 2708 1904 aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe 32 PID 2708 wrote to memory of 2788 2708 Windows Update.exe 33 PID 2708 wrote to memory of 2788 2708 Windows Update.exe 33 PID 2708 wrote to memory of 2788 2708 Windows Update.exe 33 PID 2708 wrote to memory of 2788 2708 Windows Update.exe 33 PID 2708 wrote to memory of 2788 2708 Windows Update.exe 33 PID 2708 wrote to memory of 2788 2708 Windows Update.exe 33 PID 2708 wrote to memory of 2788 2708 Windows Update.exe 33 PID 2708 wrote to memory of 2788 2708 Windows Update.exe 33 PID 2708 wrote to memory of 2788 2708 Windows Update.exe 33 PID 2708 wrote to memory of 2788 2708 Windows Update.exe 33 PID 2708 wrote to memory of 2788 2708 Windows Update.exe 33 PID 2708 wrote to memory of 2788 2708 Windows Update.exe 33 PID 2788 wrote to memory of 1700 2788 Windows Update.exe 35 PID 2788 wrote to memory of 1700 2788 Windows Update.exe 35 PID 2788 wrote to memory of 1700 2788 Windows Update.exe 35 PID 2788 wrote to memory of 1700 2788 Windows Update.exe 35 PID 2788 wrote to memory of 1700 2788 Windows Update.exe 35 PID 2788 wrote to memory of 1700 2788 Windows Update.exe 35 PID 2788 wrote to memory of 1700 2788 Windows Update.exe 35 PID 2788 wrote to memory of 1700 2788 Windows Update.exe 35 PID 2788 wrote to memory of 1700 2788 Windows Update.exe 35 PID 2788 wrote to memory of 1700 2788 Windows Update.exe 35 PID 2788 wrote to memory of 2648 2788 Windows Update.exe 36 PID 2788 wrote to memory of 2648 2788 Windows Update.exe 36 PID 2788 wrote to memory of 2648 2788 Windows Update.exe 36 PID 2788 wrote to memory of 2648 2788 Windows Update.exe 36 PID 2788 wrote to memory of 2648 2788 Windows Update.exe 36 PID 2788 wrote to memory of 2648 2788 Windows Update.exe 36 PID 2788 wrote to memory of 2648 2788 Windows Update.exe 36 PID 2788 wrote to memory of 2648 2788 Windows Update.exe 36 PID 2788 wrote to memory of 2648 2788 Windows Update.exe 36 PID 2788 wrote to memory of 2648 2788 Windows Update.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe"C:\Users\Admin\AppData\Local\Temp\aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe"C:\Users\Admin\AppData\Local\Temp\aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1700
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- System Location Discovery: System Language Discovery
PID:2648
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD52715bcbe51c308593298c65e5494b1f9
SHA114f0592ae00704ff4cbbf27634a6c1036de7b6a1
SHA256cdf881969a8102ce1ac5e237487d99c977de044aa756ab493dbe6d98090c74e9
SHA512b03d2fe5c5bf1004e1aac95f543ef2f02cebde8e93232326a1a34f47fdfd4512168d4e9b3963a7d833cf68895a839acdac01bff2020252400218f8f05972369d
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
765KB
MD55205be9a501dae770c6e557b5fdaeebc
SHA1a8a34796e05ac4ff1a0b92bdbbaedc01e8cedfa5
SHA256aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331
SHA512e7177c8f6562363751dedf374195ed0c59ba478530ba58e2428a62ba40fbae73c9dc9f55cdf8890779a9a848c53d6fedd7bdb9658e995df7331d8eea6a05170d