Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
441s -
max time network
443s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
04/12/2024, 09:28
Static task
static1
Behavioral task
behavioral1
Sample
Obekräftade 974555.zip
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
naive-stealer-main/Naive Builder.bat
Resource
win10ltsc2021-20241023-en
General
-
Target
Obekräftade 974555.zip
-
Size
8.9MB
-
MD5
77bd329d9e4ce7dc9c2b31b3833a6ca0
-
SHA1
46f6df3fbfdb6359260c4d21e907aa158478be6f
-
SHA256
cf00bf0d9259ac2976f1eae1a5f2af6306ccaf38d5b4643c0a852b6887073f74
-
SHA512
b57f24bf82a3fa4c0e7820aa50680f4fa496c741a9c9a2a4ab56f6188a51fc6c325fd439f4f4c683d36115f4aab026176714a75942e543e9919bc10c2c5b510b
-
SSDEEP
196608:19be0rX+BaOcbGQgp7RyMp2Ca2l3F+eCwMp7IDQkc11rwzjAeYEl3tTkkqm/:DrOJpRyMpjlVWw4IDPjtTdn
Malware Config
Signatures
-
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe File opened for modification C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe File opened for modification C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings OpenWith.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1948 7zFM.exe Token: 35 1948 7zFM.exe Token: SeSecurityPrivilege 1948 7zFM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1948 7zFM.exe 1948 7zFM.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 2780 OpenWith.exe 2780 OpenWith.exe 2780 OpenWith.exe 2780 OpenWith.exe 2780 OpenWith.exe 2780 OpenWith.exe 2780 OpenWith.exe 2780 OpenWith.exe 2780 OpenWith.exe 2780 OpenWith.exe 2780 OpenWith.exe 2780 OpenWith.exe 2780 OpenWith.exe 2780 OpenWith.exe 2780 OpenWith.exe 2780 OpenWith.exe 2780 OpenWith.exe 2780 OpenWith.exe 2780 OpenWith.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4176 wrote to memory of 4948 4176 cmd.exe 96 PID 4176 wrote to memory of 4948 4176 cmd.exe 96 PID 4948 wrote to memory of 544 4948 net.exe 97 PID 4948 wrote to memory of 544 4948 net.exe 97 PID 2780 wrote to memory of 3596 2780 OpenWith.exe 101 PID 2780 wrote to memory of 3596 2780 OpenWith.exe 101 PID 2944 wrote to memory of 2380 2944 cmd.exe 104 PID 2944 wrote to memory of 2380 2944 cmd.exe 104 PID 2380 wrote to memory of 1332 2380 net.exe 105 PID 2380 wrote to memory of 1332 2380 net.exe 105
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Obekräftade 974555.zip"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1948
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\naive-stealer-main\Naive Builder.bat" "1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:544
-
-
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\naive-stealer-main\Naive Builder.bat1⤵PID:2232
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\naive-stealer-main\README.md2⤵PID:3596
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\naive-stealer-main\Naive Builder.bat"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:1332
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.8MB
MD5a2e3e4286e8b22b3b021a6706b899dd7
SHA1e6179204735421c3927f27c13f9751af1dce9bd2
SHA256efd80dd8487437f58413be6e7d2da6ea866ae7626b3225dbf326e8c82c85e580
SHA5123ff5d19accd1fa6765ffc3554bb9cfe3989eee4cf226c2ce7abbaff47a1586253ab1b408f4f9e47611ea7d2415f3298b12dfada1d1987d43c2efa16aac11e3e8
-
Filesize
1KB
MD51359f5214b66eb6d45b05023be0c8453
SHA158a04b4e238b9d3a4d627197dc84e14d2fbe3c86
SHA256ee4c0d1aba68cad90e3f910b4269dd31a136c9d88243c5d5f837029d33afded6
SHA512e24fb6e0b413ecfc94cfc3a43d2d7055bd3de666b46860a47ada4379070e5c741e48a9fd2a9fafa0a6aa08ed70f17f4c283fbe88e7edb43d45b3db02a7661eba