Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
124s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2025, 04:45
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order 194960.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Purchase Order 194960.exe
Resource
win10v2004-20241007-en
General
-
Target
Purchase Order 194960.exe
-
Size
625KB
-
MD5
92514a6ef5868dd0dbba559a12ccb68c
-
SHA1
9dbacede171405c46debfe2cc40128ddc731103b
-
SHA256
862a46281deaadf07f5ce4d2e40efef9949326a8e5622cf2d412ec962a833195
-
SHA512
e8a6a09488a4c59bb317c6d166d4a8aa69e4e5dc012dd88de8b5e4688b97f5039ad0189e4e0a2c28de4e0bac1ed0b1e0c90e9f1a49bdb588cfa84a6427ab733a
-
SSDEEP
12288:7nLHWa+ka4ZQhiSaHOMMv0VCwpGpF4aOMbjfAJ7/R8nZrfvxrs7oQBXe:4kmhAHgsgaGpEMbjC7/R8nZrfwoQk
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7810622048:AAGlXVtU9EeAX6sumC63y05EJISEAmugavs/sendMessage?chat_id=986310232
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/2580-46-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Snakekeylogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3368 powershell.exe 1968 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Purchase Order 194960.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order 194960.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order 194960.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order 194960.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 checkip.dyndns.org 22 reallyfreegeoip.org 23 reallyfreegeoip.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4036 set thread context of 2580 4036 Purchase Order 194960.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Purchase Order 194960.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Purchase Order 194960.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3052 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1968 powershell.exe 3368 powershell.exe 3368 powershell.exe 1968 powershell.exe 2580 Purchase Order 194960.exe 2580 Purchase Order 194960.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3368 powershell.exe Token: SeDebugPrivilege 1968 powershell.exe Token: SeDebugPrivilege 2580 Purchase Order 194960.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4036 wrote to memory of 3368 4036 Purchase Order 194960.exe 92 PID 4036 wrote to memory of 3368 4036 Purchase Order 194960.exe 92 PID 4036 wrote to memory of 3368 4036 Purchase Order 194960.exe 92 PID 4036 wrote to memory of 1968 4036 Purchase Order 194960.exe 94 PID 4036 wrote to memory of 1968 4036 Purchase Order 194960.exe 94 PID 4036 wrote to memory of 1968 4036 Purchase Order 194960.exe 94 PID 4036 wrote to memory of 3052 4036 Purchase Order 194960.exe 96 PID 4036 wrote to memory of 3052 4036 Purchase Order 194960.exe 96 PID 4036 wrote to memory of 3052 4036 Purchase Order 194960.exe 96 PID 4036 wrote to memory of 2580 4036 Purchase Order 194960.exe 98 PID 4036 wrote to memory of 2580 4036 Purchase Order 194960.exe 98 PID 4036 wrote to memory of 2580 4036 Purchase Order 194960.exe 98 PID 4036 wrote to memory of 2580 4036 Purchase Order 194960.exe 98 PID 4036 wrote to memory of 2580 4036 Purchase Order 194960.exe 98 PID 4036 wrote to memory of 2580 4036 Purchase Order 194960.exe 98 PID 4036 wrote to memory of 2580 4036 Purchase Order 194960.exe 98 PID 4036 wrote to memory of 2580 4036 Purchase Order 194960.exe 98 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order 194960.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Purchase Order 194960.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order 194960.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order 194960.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Purchase Order 194960.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EPZZIYHrvHTw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPZZIYHrvHTw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD987.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3052
-
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order 194960.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order 194960.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2580
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5c741172c0564c502a0454418e33677bf
SHA1180851ce358ff1c5b037cef8c80eff44517c58f5
SHA256433fb8a51fd752f3e650764897d617bdaafbdb576a0d96401ba0fd4e4bbb7aba
SHA51260c87fefccca14a4859b10a953c7d874e40bb04e6272b1a9314c30b73328996a386a5d0ee2652dc3567d7428ed88d342d6f86a2e7a57db958b669392fec6cfc7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD52dd07dc376e5ccfa18f2ef1dc1357cf9
SHA16fdc87306468247ab3cd45b3feef203c0666f764
SHA2560ce99b0a066fd0825b98febe239f83a79cd07c8ca01f74ee3105ec6cd4eb5883
SHA512d98b1bd3ec0f2ed03a76f38e419b7d3a948b0c3766bf2a62adc681bb42746485d66dcd20b97c25e70ccb77f730c59f41b3f99623023a609dffdb811b6fc085eb