Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 02:36
Behavioral task
behavioral1
Sample
3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b.exe
Resource
win10v2004-20241007-en
General
-
Target
3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b.exe
-
Size
895KB
-
MD5
2ae0772ccbb6ba5fdbd9c2e8369d0f02
-
SHA1
16ecc3070e5a4347d8bee0d5fed8f99c57769efc
-
SHA256
3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b
-
SHA512
ff12e0c7dbbc25ccfbbd3a4f2d0665d2ed826b0ac8695307c523f9e748b29031dafa38c1fae64b3f847b81c27a40a5ab94d7c663cc741d9047094b8ea02c95c6
-
SSDEEP
24576:2Bf3DbcnrLRjnFVBSU8IjCBuYouaWiKe6MC8EimkXctAzBktNVwqk8zGZsHgPuPK:PfhXG
Malware Config
Signatures
-
Detects Obj3ctivity Stage1 1 IoCs
Obj3ctivity aka PXRECVOWEIWOEI is an infostealer written in C#.
resource yara_rule behavioral2/memory/4816-1-0x0000000000860000-0x0000000000946000-memory.dmp family_obj3ctivity -
Obj3ctivity family
-
Obj3ctivity, PXRECVOWEIWOEI
Obj3ctivity aka PXRECVOWEIWOEI is an infostealer written in C#.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 icanhazip.com 32 ip-api.com -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 2748 cmd.exe 3064 netsh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4816 3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b.exe 4816 3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b.exe 4816 3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4816 3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b.exe Token: SeSecurityPrivilege 4028 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4816 wrote to memory of 2748 4816 3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b.exe 83 PID 4816 wrote to memory of 2748 4816 3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b.exe 83 PID 2748 wrote to memory of 4792 2748 cmd.exe 86 PID 2748 wrote to memory of 4792 2748 cmd.exe 86 PID 2748 wrote to memory of 3064 2748 cmd.exe 87 PID 2748 wrote to memory of 3064 2748 cmd.exe 87 PID 2748 wrote to memory of 3436 2748 cmd.exe 88 PID 2748 wrote to memory of 3436 2748 cmd.exe 88 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b.exe"C:\Users\Admin\AppData\Local\Temp\3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b.exe"1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4816 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:4792
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3064
-
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:3436
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4028
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1