Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
103s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2025, 01:00
Static task
static1
Behavioral task
behavioral1
Sample
17012025_0100_fifuc6.ps1
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
17012025_0100_fifuc6.ps1
Resource
win10v2004-20241007-en
General
-
Target
17012025_0100_fifuc6.ps1
-
Size
182KB
-
MD5
531f7522fa2f658d3695b8827ce1a651
-
SHA1
084d8a701f8f285b88abe292c2b4dbb202b23406
-
SHA256
f0924aa3814edd9834cb39707a1d9c217b6c99a2229b1c9264e4c7f72ef8ac66
-
SHA512
6d2977b3c85d710cad721ba4f2ac9256eb1ef4416975f17a7159d1c9adbac0d1eb6bddd0985b896711bef2846c58128379afb322c2f75388bef3cc405984779b
-
SSDEEP
3072:xQvNklrvsQRAvUnjuw1cYpQAO8PJ3lPZA9iR3TxUK/zGc5+n:GvGlAAnCwhHPplP2943Tz/zX5w
Malware Config
Extracted
Protocol: smtp- Host:
mail.cl-logistics.vn - Port:
587 - Username:
[email protected] - Password:
logistics@123
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3748 x.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 checkip.dyndns.org 11 reallyfreegeoip.org 12 reallyfreegeoip.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3748 set thread context of 3504 3748 x.exe 85 -
pid Process 1644 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1644 powershell.exe 1644 powershell.exe 3504 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1644 powershell.exe Token: SeDebugPrivilege 3504 RegAsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1644 wrote to memory of 3748 1644 powershell.exe 84 PID 1644 wrote to memory of 3748 1644 powershell.exe 84 PID 1644 wrote to memory of 3748 1644 powershell.exe 84 PID 3748 wrote to memory of 3504 3748 x.exe 85 PID 3748 wrote to memory of 3504 3748 x.exe 85 PID 3748 wrote to memory of 3504 3748 x.exe 85 PID 3748 wrote to memory of 3504 3748 x.exe 85 PID 3748 wrote to memory of 3504 3748 x.exe 85 PID 3748 wrote to memory of 3504 3748 x.exe 85 PID 3748 wrote to memory of 3504 3748 x.exe 85 PID 3748 wrote to memory of 3504 3748 x.exe 85 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\17012025_0100_fifuc6.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3504
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
136KB
MD5fb9802a28361f8146263d7256008a8aa
SHA1a6623bc42fd64c7f09127cfa990afbae4c90e5e7
SHA256dcc1cd97606ab9dfcea2d2ffaedc16eaf51d48c22d1bbdec82d528d7153b7a90
SHA51210a5bf50153d7329281aa383ca1115f30645a841861adbc2b9121c30d95b741daafb1f21774507e225a0c63de5150eb2c9e77289fe847414ebf45a4cfdd2e30c