Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/01/2025, 01:09 UTC

General

  • Target

    d5a4fa1fd6bb8be292a1aa5d88c4ed1f35052d47277dba2c6edba87891971462.exe

  • Size

    663KB

  • MD5

    99aeb2bd221f1002d08f9b226bf5063f

  • SHA1

    3e9e671f3115c062920e4cbe7185ba879877f39b

  • SHA256

    d5a4fa1fd6bb8be292a1aa5d88c4ed1f35052d47277dba2c6edba87891971462

  • SHA512

    4a782bccfdd66b9d3c5b3760bfe8faa93970235c9fe9aa22a7d565ab5d7f411d80ad6b6400a15320700d038605cddce5a2dadc95a3d6f87419297b928627eca9

  • SSDEEP

    6144:RWusAIFB++velibxPyp/64wjOjn6cB3rZtT/Yq3v9Auky+4N137Am/v1:Rz7IFjvelQypyfy7z6u7+4D37Am/v1

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    Trav01is@yandex.com
  • Password:
    Boy12345#

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5a4fa1fd6bb8be292a1aa5d88c4ed1f35052d47277dba2c6edba87891971462.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a4fa1fd6bb8be292a1aa5d88c4ed1f35052d47277dba2c6edba87891971462.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:296
    • C:\Users\Admin\AppData\Roaming\app.exe
      "C:\Users\Admin\AppData\Roaming\app.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Users\Admin\AppData\Roaming\app.exe
        "C:\Users\Admin\AppData\Roaming\app.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2064
      • C:\Users\Admin\AppData\Roaming\My.RawFile.exe
        "C:\Users\Admin\AppData\Roaming\My.RawFile.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:648
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:852
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:772

Network

  • flag-us
    DNS
    checkip.dyndns.org
    My.RawFile.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    193.122.6.168
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    132.226.8.169
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    158.101.44.242
  • flag-de
    GET
    http://checkip.dyndns.org/
    My.RawFile.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 17 Jan 2025 01:10:20 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • flag-us
    DNS
    smtp.yandex.com
    My.RawFile.exe
    Remote address:
    8.8.8.8:53
    Request
    smtp.yandex.com
    IN A
    Response
    smtp.yandex.com
    IN CNAME
    smtp.yandex.ru
    smtp.yandex.ru
    IN A
    77.88.21.158
  • flag-us
    DNS
    crl.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    2.19.252.157
    a1363.dscg.akamai.net
    IN A
    2.19.252.132
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    Remote address:
    2.19.252.157:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
    Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
    ETag: 0x8DD1A40E476D877
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 4de8ec0b-c01e-0047-3936-4c3cb1000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Fri, 17 Jan 2025 01:10:23 GMT
    Connection: keep-alive
  • flag-us
    DNS
    www.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    95.100.245.144
  • flag-gb
    GET
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    Remote address:
    95.100.245.144:80
    Request
    GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: www.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1078
    Content-Type: application/octet-stream
    Content-MD5: HqJzZuA065RHozzmOcAUiQ==
    Last-Modified: Tue, 14 Jan 2025 20:41:31 GMT
    ETag: 0x8DD34DBD43549F4
    x-ms-request-id: 6cfcb200-a01e-0041-39cb-660f0e000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Fri, 17 Jan 2025 01:10:24 GMT
    Connection: keep-alive
    TLS_version: UNKNOWN
    ms-cv: CASMicrosoftCV1a05e11c.0
    ms-cv-esi: CASMicrosoftCV1a05e11c.0
    X-RTag: RT
  • 193.122.6.168:80
    http://checkip.dyndns.org/
    http
    My.RawFile.exe
    396 B
    802 B
    7
    6

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 77.88.21.158:587
    smtp.yandex.com
    smtp-submission
    My.RawFile.exe
    1.2kB
    5.9kB
    15
    15
  • 2.19.252.157:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    451 B
    1.7kB
    5
    5

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 95.100.245.144:80
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    http
    393 B
    1.7kB
    4
    4

    HTTP Request

    GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

    HTTP Response

    200
  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    My.RawFile.exe
    64 B
    176 B
    1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    193.122.6.168
    132.226.247.73
    132.226.8.169
    193.122.130.0
    158.101.44.242

  • 8.8.8.8:53
    smtp.yandex.com
    dns
    My.RawFile.exe
    61 B
    105 B
    1
    1

    DNS Request

    smtp.yandex.com

    DNS Response

    77.88.21.158

  • 8.8.8.8:53
    crl.microsoft.com
    dns
    63 B
    162 B
    1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    2.19.252.157
    2.19.252.132

  • 8.8.8.8:53
    www.microsoft.com
    dns
    63 B
    230 B
    1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    95.100.245.144

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9d890180647b8c0ac4c944f8188a193a

    SHA1

    e7504a4aa6f92263f18ac6a3c7078c5678e85c69

    SHA256

    26852e2e5f213af887ba43c6005bc16ee2142910b6a50ab4ad8ecc95e70d7ed2

    SHA512

    6b798de2d818d3c65902296835a77f818df748c990fbaa5a51c47be13d9b7271407832c58914c0ea8db7bb3bea0aa51440320bd3e2b0c6f11465a36f903d56f2

  • C:\Users\Admin\AppData\Local\Temp\Cab4624.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar5468.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Roaming\My.RawFile.exe

    Filesize

    142KB

    MD5

    5a733ef0de5e31e2e4b4abb016c0f251

    SHA1

    28644040a6deac35c20fa931b5d003a97293363e

    SHA256

    a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7

    SHA512

    9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9

  • \Users\Admin\AppData\Roaming\app.exe

    Filesize

    669KB

    MD5

    73d17b97c3e921d013b2b0b1eca31758

    SHA1

    ce8631a1e39ee85242aac8535425b33be6fdb5b3

    SHA256

    fb681539dea403480b6a038b24b9aba6d63a897715993abfa281d74ea4d5b642

    SHA512

    11ee89d38c1b8cf0a771791de5e4fb2d303f8055945126df3b2de8e7ebe073bfca306b264a1a9219e0a3f97880a0bd2b123aa3aa8ed343f163fac04b27db241e

  • memory/296-12-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

  • memory/296-29-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

  • memory/296-24-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

  • memory/296-0-0x0000000074281000-0x0000000074282000-memory.dmp

    Filesize

    4KB

  • memory/296-11-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

  • memory/296-1-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

  • memory/772-94-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/772-93-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/772-91-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/772-92-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/852-69-0x0000000000080000-0x0000000000090000-memory.dmp

    Filesize

    64KB

  • memory/852-82-0x0000000000080000-0x0000000000090000-memory.dmp

    Filesize

    64KB

  • memory/852-79-0x0000000000080000-0x0000000000090000-memory.dmp

    Filesize

    64KB

  • memory/852-75-0x0000000000080000-0x0000000000090000-memory.dmp

    Filesize

    64KB

  • memory/852-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/852-71-0x0000000000080000-0x0000000000090000-memory.dmp

    Filesize

    64KB

  • memory/852-65-0x0000000000080000-0x0000000000090000-memory.dmp

    Filesize

    64KB

  • memory/852-67-0x0000000000080000-0x0000000000090000-memory.dmp

    Filesize

    64KB

  • memory/2228-42-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

  • memory/2228-43-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

  • memory/2228-32-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

  • memory/2228-33-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

  • memory/2228-95-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

  • memory/2228-98-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

  • memory/2228-99-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.