Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2025, 01:16
Static task
static1
Behavioral task
behavioral1
Sample
49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd.exe
Resource
win10v2004-20241007-en
General
-
Target
49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd.exe
-
Size
730KB
-
MD5
bacdc65f2a0c72a5819987becf60ccb1
-
SHA1
d36830a79815415a190f54ea9638217f4b4c9d17
-
SHA256
49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd
-
SHA512
1e0cb74190e55f65a7350d7baba203b2aeb13fccdbc106cb45aa2f2d4394f59e1a140d7fa64e16b4ac88a21a8fd3ef983e9b50061d7dea90f71c6beaea29cd33
-
SSDEEP
6144:qWusAIFB++velibxPyp/64wjOjn6cB3rZtT/Yq3v9Auky+4N1vbMa:qz7IFjvelQypyfy7z6u7+4DvbMa
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Boy12345#
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation app.exe -
Executes dropped EXE 3 IoCs
pid Process 3752 app.exe 2928 app.exe 5072 My.RawFile.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 My.RawFile.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 My.RawFile.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" 49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 checkip.dyndns.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3752 set thread context of 3548 3752 app.exe 92 PID 3752 set thread context of 4128 3752 app.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language app.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language app.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language My.RawFile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4368 49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd.exe 4368 49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd.exe 4368 49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd.exe 4368 49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd.exe 4368 49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd.exe 4368 49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 2928 app.exe 2928 app.exe 2928 app.exe 2928 app.exe 2928 app.exe 2928 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 5072 My.RawFile.exe 5072 My.RawFile.exe 5072 My.RawFile.exe 5072 My.RawFile.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe 3752 app.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4368 49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd.exe Token: SeDebugPrivilege 3752 app.exe Token: SeDebugPrivilege 2928 app.exe Token: SeDebugPrivilege 5072 My.RawFile.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5072 My.RawFile.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4368 wrote to memory of 3752 4368 49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd.exe 87 PID 4368 wrote to memory of 3752 4368 49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd.exe 87 PID 4368 wrote to memory of 3752 4368 49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd.exe 87 PID 3752 wrote to memory of 2928 3752 app.exe 90 PID 3752 wrote to memory of 2928 3752 app.exe 90 PID 3752 wrote to memory of 2928 3752 app.exe 90 PID 3752 wrote to memory of 5072 3752 app.exe 91 PID 3752 wrote to memory of 5072 3752 app.exe 91 PID 3752 wrote to memory of 5072 3752 app.exe 91 PID 3752 wrote to memory of 3548 3752 app.exe 92 PID 3752 wrote to memory of 3548 3752 app.exe 92 PID 3752 wrote to memory of 3548 3752 app.exe 92 PID 3752 wrote to memory of 4128 3752 app.exe 93 PID 3752 wrote to memory of 4128 3752 app.exe 93 PID 3752 wrote to memory of 4128 3752 app.exe 93 PID 3752 wrote to memory of 3548 3752 app.exe 92 PID 3752 wrote to memory of 3548 3752 app.exe 92 PID 3752 wrote to memory of 3548 3752 app.exe 92 PID 3752 wrote to memory of 3548 3752 app.exe 92 PID 3752 wrote to memory of 3548 3752 app.exe 92 PID 3752 wrote to memory of 4128 3752 app.exe 93 PID 3752 wrote to memory of 4128 3752 app.exe 93 PID 3752 wrote to memory of 4128 3752 app.exe 93 PID 3752 wrote to memory of 4128 3752 app.exe 93 PID 3752 wrote to memory of 4128 3752 app.exe 93 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 My.RawFile.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 My.RawFile.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd.exe"C:\Users\Admin\AppData\Local\Temp\49801fd886f247d6ceaf711e79c0c6f27d6e1e2c83a0e91282b81e36d17d08bd.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\AppData\Roaming\app.exe"C:\Users\Admin\AppData\Roaming\app.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Users\Admin\AppData\Roaming\app.exe"C:\Users\Admin\AppData\Roaming\app.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Users\Admin\AppData\Roaming\My.RawFile.exe"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:5072
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3548
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4128
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20B
MD5b3ac9d09e3a47d5fd00c37e075a70ecb
SHA1ad14e6d0e07b00bd10d77a06d68841b20675680b
SHA2567a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432
SHA51209b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316
-
Filesize
142KB
MD55a733ef0de5e31e2e4b4abb016c0f251
SHA128644040a6deac35c20fa931b5d003a97293363e
SHA256a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7
SHA5129d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9
-
Filesize
739KB
MD5189122ca1d7a1c018fabb373a7210b97
SHA1ddf5210eccfb9d0674a48dd82ddd777c314635f0
SHA256201b5d06c903de9243f274c67adb40174d01f6e8e5bf36148ced7092664585cd
SHA512ab670821ce4a0d742c88b8afe49b77891cf8db5dced43b8038ed53b17eb437ba3f8d11ba4584b07ae9d919da5214b3e53d38963a8edcb0dbaa9eb466a420ea62