Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22/01/2025, 13:58
General
-
Target
2024-12-03_67b4f997c2950c3a7da49a06ad0d6da8_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
-
Size
956.1MB
-
MD5
67b4f997c2950c3a7da49a06ad0d6da8
-
SHA1
a72981393641868956f5329fd8d5009cf418c8d1
-
SHA256
8526de38fe915997bbc8cc4c697b719a63ae49636249f8749cad7c075188a70a
-
SHA512
9d234d0e3e9e78c76089d7538a190d5e4c1e1aa67b62b344c3523824ea942dee836421e7ff634ddfef66a601f72e5a71d1e46ac51dc8cd7df3827550cea1d22f
-
SSDEEP
49152:9y9HGov4ftacY9lbcByt5rJscl4F51CWJAs5EeG7GIV/7LyBThv3ILW01am:0vfe7P5ENGIVPoThv3Iam
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 24 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-03_67b4f997c2950c3a7da49a06ad0d6da8_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-03_67b4f997c2950c3a7da49a06ad0d6da8_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN system_updater /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\system.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN system_updater /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\system.exe3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --mojo-platform-channel-handle=3456 --field-trial-handle=1600,i,15554764459745766658,2657313602245406631,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --mojo-platform-channel-handle=4216 --field-trial-handle=1600,i,15554764459745766658,2657313602245406631,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=3408 --field-trial-handle=1600,i,15554764459745766658,2657313602245406631,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3808 --field-trial-handle=1600,i,15554764459745766658,2657313602245406631,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=1548 --field-trial-handle=1600,i,15554764459745766658,2657313602245406631,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=3888 --field-trial-handle=1600,i,15554764459745766658,2657313602245406631,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --mojo-platform-channel-handle=4080 --field-trial-handle=1600,i,15554764459745766658,2657313602245406631,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --mojo-platform-channel-handle=3704 --field-trial-handle=1600,i,15554764459745766658,2657313602245406631,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1600,i,15554764459745766658,2657313602245406631,131072 /prefetch:81⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {3DBC1FCC-6C8B-42D1-AD96-18A24997125C} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\config\system.exeC:\Users\Admin\AppData\Roaming\Microsoft\config\system.exe2⤵
- Executes dropped EXE
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2352 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD53b53db4f3d5d2d9d5db87ba9c807db69
SHA148c9516afeaa40ea70f721702582fd27886ac09b
SHA2560b54eee4bf0b06520266dd783e791367d6d9f154dba3cf5d1c35b9315a2512c1
SHA5127b4caccd3653e70fcc68f9f3799e04f33e57c1735f533f286d911bfb2cf06ba25a893b165b69d24e52b9a369bf04722abe41a4058c08043da0bb817a577fa3ad
-
Filesize
342B
MD5103710d3863544b824fa7a80d720d920
SHA125bcb299c6860030f6a398ee11000b2dc618611a
SHA256eb4559f51024efdc69c3c06d5372c93573b30b04552a59ef757f99a6ae68d7ab
SHA5124ec05b12425cc3b775c8718c45a99d4b997cc34f03d2609b1fce610c0ebb1a5bc53553380690c3e6eac60fa100287a792d861618ba1a5ad8680488da7e013169
-
Filesize
342B
MD513c24affb62ff4fe600a90d21e5c469e
SHA1590b90ab97352e92c7208bfaf70e5ab696526361
SHA256f05e838b54f3769e54929ce14e3097f18415144ea6f49ea2d70fdad44ca3d1cd
SHA512ea76df213f60c001af26d21ca24736e7ee26041cc911bdb67d9a4bd586ee6f36b47002f587f1f4daf838fb3505d913403156918921b15ac93e32a25b8e73c7c5
-
Filesize
342B
MD533fbd0af09f883397b2f3dc5e4a87192
SHA1dfe83815814d6430f5d0e88f90202c71eb7de2f9
SHA256975937a647ac542617af0237c6bf0b9092d15c9c5f5a44c5ae009da2cc9ba1b8
SHA5122f9f32113b5abbab4ad8542d286ee73d7b356691ac88b118ea9971b3f5bd3b4da117001c2daab010a18cefba0234b7b10c851193ac890fb57663d0e8c2fa06fa
-
Filesize
342B
MD501b7cc1ce2b0b15c7f06a911a306967d
SHA1f49644559e8d1789dd3db26b5fae297ce3d485ca
SHA256759cb22519b9b33b2e4208be0a56816268d2c429cc6335c3bcc16bc55f86d934
SHA51284577a7c6939c19a5fdc768d6482156c633943ece00c05af4500a1cd29f1f66f437d7bfd29779d01aa4d6cbcd7dc974c5912a499ed470054a1362e8860087396
-
Filesize
342B
MD510936b7fe61fdbfd66632362538c256f
SHA1f10f99c4a44d7da0f753b264de489ee57cbd7288
SHA256508bd69eaf267cb5065145882c33c1ca225cbe14404b874c6b58270a5c8f962b
SHA512ea46c87bec70fe8156581067aa1ade0977f69960426e64670b1766135ca2871790bb576931b958bb854204a64d4ad247f83952e30223ffd7a60eea1fdf33142d
-
Filesize
342B
MD56608f5d7379426e8cfeabdbd5faf6e40
SHA1a227ccf00e2f74ac76f7999d0935fc02814a715d
SHA256008777257e82604981964916c517dccce4eb76f2b13b2b4505d94de7b8c7481f
SHA5120753cb7d912bfec045d007de18924a5fda6960effc3b8dbc24bf4c2988d6af27b08f309ee829263aaaafcc488b1f3888a83c2176c464ccafe7282f1d910b6cb7
-
Filesize
342B
MD5bfd172ea4b79cbb9cbe39fd2892718dc
SHA14df9a472567563285ab2faa5f040189ea4fd2a45
SHA2563569dc880629d7ff4c78036b5d3369334ca100e25b71d6f1d562ca6c0ebe2f16
SHA512fcf446dc8212aed324e73507b55ee81201b73b0659f4d74d9b325ffe4ff90d68d3cc921cf1e8d5ff2e037c03f690cc3895e94945c867cba5173ab1a2f8955c94
-
Filesize
342B
MD5b852489f4fa6c9c9664a461cc3fc5e26
SHA18aff4a3e73b6f17fefe37cd122777b240dfb51b0
SHA25641c9f652a167cbe4c2a14008de519f4277c628158fa61d4087fc3e29d7729edb
SHA512c6704eb8184a5915ea7f30a54a9834c07ba968dacc152ada257496cc5d97cc5d48c3f25da13c16a1307fa436768781748acbeceeb523d134a1719ca12179b4d6
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB