Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 17:14
Static task
static1
Behavioral task
behavioral1
Sample
Identitiesx5991793179/launcher.bat
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Identitiesx5991793179/launcher.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Identitiesx5991793179/sendmailb2b.exe
Resource
win7-20240903-en
General
-
Target
Identitiesx5991793179/sendmailb2b.exe
-
Size
664KB
-
MD5
635c619c6b7efe91d743774440076105
-
SHA1
c83c9541e3abc4fa4017665cafa3b6e78b3a5e4d
-
SHA256
78adf9aebf778659b4f9c54f72152559d0ccb72e1e813379bc49c2172c6dacdb
-
SHA512
a6a895f887c9c290478a3cd6cc85fe5130737c9c8b4130e7630dc61a9375b3653936219d7e1884b86d74c56cf954c2d3de54574145bc32494f13e54158de55e6
-
SSDEEP
12288:mO2zTVbVDiVLwE1zr6Thhl6uSciSjbdSTfNx98wX/hpUAbmjGtX8MLnQh4sJ:mO2ztPhG/bocbQh4u
Malware Config
Extracted
trickbot
2000011
mor130
131.153.22.145:443
62.108.35.29:443
45.89.127.118:443
185.99.2.123:443
62.108.35.36:443
45.89.127.119:443
51.77.112.255:443
194.5.249.216:443
185.99.2.160:443
80.85.156.116:443
86.104.194.102:443
37.220.6.115:443
-
autorunName:pwgrab
Signatures
-
Trickbot family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sendmailb2b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2716 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2340 sendmailb2b.exe 2340 sendmailb2b.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2716 2340 sendmailb2b.exe 31 PID 2340 wrote to memory of 2716 2340 sendmailb2b.exe 31 PID 2340 wrote to memory of 2716 2340 sendmailb2b.exe 31 PID 2340 wrote to memory of 2716 2340 sendmailb2b.exe 31 PID 2340 wrote to memory of 2716 2340 sendmailb2b.exe 31 PID 2340 wrote to memory of 2716 2340 sendmailb2b.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Identitiesx5991793179\sendmailb2b.exe"C:\Users\Admin\AppData\Local\Temp\Identitiesx5991793179\sendmailb2b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716
-