Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
13/02/2025, 01:26
250213-btppra1pcz 1017/01/2025, 20:14
250117-yz7h3s1qfw 1017/01/2025, 20:12
250117-yy9l2sslcr 1017/01/2025, 17:25
250117-vy9p9sxpez 1017/01/2025, 17:21
250117-vw8eesyjfp 1017/01/2025, 14:16
250117-rk9ass1rhk 1017/01/2025, 14:12
250117-rhv1ds1lds 1016/01/2025, 12:52
250116-p4et7a1mez 10Analysis
-
max time kernel
130s -
max time network
151s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
-
submitted
17/01/2025, 20:14
General
-
Target
Malware-1-master/youwin.exe
-
Size
379KB
-
MD5
c3f3773a596db65c6491b578db621c45
-
SHA1
ba5529fe2d6648ebfa93c17145f5570f448e1111
-
SHA256
dfe2c886d9a6e9b26cdddba621fda00832a59def9813177863723e33c8011b0c
-
SHA512
8d7fab47b741c2e64533c30400cc6b8c20750948f9a9ad4382463ea920021d875eb9dd4d424d182cf25ffdfa96ae2088e89ae8220dd10e161fd9cbb37e213061
-
SSDEEP
6144:dVH5X7dPd2cUnZF+ZXsFv+g11ZebOzWl4QFUTUPYeOEH9yyIKC0ywAHTWZ:dVH5X7dPd2zcO+8ebRJlQeOEH9ytfvw4
Malware Config
Extracted
trickbot
1000312
sun10
82.202.212.172:443
24.247.181.155:449
24.247.182.39:449
109.234.38.220:443
24.247.182.29:449
24.247.182.7:449
71.14.129.8:449
198.46.131.164:443
74.132.135.120:449
198.46.160.217:443
71.94.101.25:443
206.130.141.255:449
192.3.52.107:443
74.140.160.33:449
65.31.241.133:449
140.190.54.187:449
24.247.181.226:449
108.160.196.130:449
23.94.187.116:443
103.110.91.118:449
-
autorunControl:GetSystemInfoName:systeminfoName:injectDllName:pwgrab
Signatures
-
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot family
-
Trickbot x86 loader 2 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Stops running service(s) 4 TTPs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\youwin.exe"C:\Users\Admin\AppData\Local\Temp\Malware-1-master\youwin.exe"1⤵
- Modifies Windows Defender notification settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\NetSf\youwin.exeC:\Users\Admin\AppData\Roaming\NetSf\youwin.exe2⤵
- Modifies Windows Defender notification settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Adds Run key to start application
-
C:\Windows\SYSTEM32\regini.exeregini C:\Users\Admin\AppData\Local\Temp\tmp0514⤵
-
-
C:\Windows\SYSTEM32\regini.exeregini C:\Users\Admin\AppData\Local\Temp\tmp0514⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f9349064c7c8f8467cc12d78a462e5f9
SHA15e1d27fc64751cd8c0e9448ee47741da588b3484
SHA256883481fe331cb89fb6061e76b43acd4dd638c16f499b10088b261036c6d0547b
SHA5123229668491b5e4068e743b31f2896b30b1842faf96aff09fad01b08771c2f11eb8d8f02a3b76e31f0d6ad650c2894c5ac1822204e132c03d9c2b8df6ca4cd7cf
-
Filesize
21KB
MD58e7a3fdff61a5abda83147c9a60fa0a6
SHA18808acca915a2bcff6f9b62e465c4209f7a25cb2
SHA256dd81cbdff8fea56f553df228ee6578dcaf0256117ff2c0babe75ddb0a68c44f1
SHA5128e95f057c35178635c9f2f4c8150b6ed3b16c0514b9ba3e8ac4bb8e2ad0fc5962c3a43e4d548ed8f9a1f9b3a279dae786cd7c1845b5a41b6234132b01fbb8925
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
67B
MD5e4bcd320585af9f77671cc6e91fe9de6
SHA115f12439eb3e133affb37b29e41e57d89fc90e06
SHA256a1e0f5a9cfc9615222f04e65455c7c4c1ba86710275afffd472428a293c31ec8
SHA51200497885531c0b84fe869828e5f2c0631f2f175f961c62175736487ae703252ba7393f882ffe99d8c4bcdb951172e35daa9ca41f45e64ce97fbae7721b25c112
-
Filesize
67B
MD558b2f90cc0182925ae0bab51700b14ab
SHA1d2975adeb8dc68f2f5e10edee524de78e79828db
SHA2568114822fe9a58e5ba08abb480dd595109c66a49d9afc404f85843915694c2964
SHA512de6154d3d44c7e332f5cf1f3b1e4f20612ecd37f08fa60382ecc5008af2d9a55216357d6927e706fd2ef60b772e7941631fdfe9b1d615e5264e99cffe59ad782
-
Filesize
1KB
MD570de24be45fd0abe97bd4ed318f1847d
SHA1ec0808c4eefc0742b36bb85dd73cb7e40c60e32b
SHA25644c58e96684ff93ef7df340f134ca96ca691d5c2e5e22e26ebb30c0c58a180e3
SHA512f2d27af37515eb95849a3b8246b217d6733aabfbabdea3d95bbebf76c36cde1f2e966e709fb39d5d27c4b71a5099f29428a23b006efbd2f127204faea33f21ea
-
Filesize
379KB
MD5c3f3773a596db65c6491b578db621c45
SHA1ba5529fe2d6648ebfa93c17145f5570f448e1111
SHA256dfe2c886d9a6e9b26cdddba621fda00832a59def9813177863723e33c8011b0c
SHA5128d7fab47b741c2e64533c30400cc6b8c20750948f9a9ad4382463ea920021d875eb9dd4d424d182cf25ffdfa96ae2088e89ae8220dd10e161fd9cbb37e213061
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
6.8MB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
756KB
-
Filesize
3.0MB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
400KB
-
Filesize
256KB
-
Filesize
400KB
-
Filesize
256KB