Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/01/2025, 06:32
Static task
static1
Behavioral task
behavioral1
Sample
a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe
Resource
win10v2004-20250129-en
General
-
Target
a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe
-
Size
1.1MB
-
MD5
909a37e97faff915cd4906fe7684ec63
-
SHA1
5ae37a8ae70e36e9cf4f9e8895045f77eca11c51
-
SHA256
a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f
-
SHA512
58bb45c2d55b4602852c0921f9aa39f3a09645689beea49b7408ce44da75eb9f9701effc765f3808e8d79eaefa9fc49531719e3d334d1d21e54ca35f78cac25d
-
SSDEEP
24576:bAHnh+eWsN3skA4RV1Hom2KXFmIaQtS2rEDjuKsV5U5j5:2h+ZkldoPK1XaQtvEDqTV5UL
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot8043603189:AAFpR2ormgQgQpP5aDirNgZd72aHXUsGdlI/sendMessage?chat_id=2135869667
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs savagenesses.exe -
Executes dropped EXE 2 IoCs
pid Process 2196 savagenesses.exe 2668 savagenesses.exe -
Loads dropped DLL 1 IoCs
pid Process 2036 a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org 8 reallyfreegeoip.org 9 reallyfreegeoip.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000015e25-14.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2668 set thread context of 880 2668 savagenesses.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language savagenesses.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language savagenesses.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 880 RegSvcs.exe 880 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2196 savagenesses.exe 2668 savagenesses.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 880 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2036 a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe 2036 a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe 2196 savagenesses.exe 2196 savagenesses.exe 2668 savagenesses.exe 2668 savagenesses.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2036 a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe 2036 a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe 2196 savagenesses.exe 2196 savagenesses.exe 2668 savagenesses.exe 2668 savagenesses.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2196 2036 a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe 30 PID 2036 wrote to memory of 2196 2036 a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe 30 PID 2036 wrote to memory of 2196 2036 a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe 30 PID 2036 wrote to memory of 2196 2036 a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe 30 PID 2196 wrote to memory of 3048 2196 savagenesses.exe 31 PID 2196 wrote to memory of 3048 2196 savagenesses.exe 31 PID 2196 wrote to memory of 3048 2196 savagenesses.exe 31 PID 2196 wrote to memory of 3048 2196 savagenesses.exe 31 PID 2196 wrote to memory of 3048 2196 savagenesses.exe 31 PID 2196 wrote to memory of 3048 2196 savagenesses.exe 31 PID 2196 wrote to memory of 3048 2196 savagenesses.exe 31 PID 2196 wrote to memory of 2668 2196 savagenesses.exe 32 PID 2196 wrote to memory of 2668 2196 savagenesses.exe 32 PID 2196 wrote to memory of 2668 2196 savagenesses.exe 32 PID 2196 wrote to memory of 2668 2196 savagenesses.exe 32 PID 2668 wrote to memory of 880 2668 savagenesses.exe 33 PID 2668 wrote to memory of 880 2668 savagenesses.exe 33 PID 2668 wrote to memory of 880 2668 savagenesses.exe 33 PID 2668 wrote to memory of 880 2668 savagenesses.exe 33 PID 2668 wrote to memory of 880 2668 savagenesses.exe 33 PID 2668 wrote to memory of 880 2668 savagenesses.exe 33 PID 2668 wrote to memory of 880 2668 savagenesses.exe 33 PID 2668 wrote to memory of 880 2668 savagenesses.exe 33 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe"C:\Users\Admin\AppData\Local\Temp\a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\parachronism\savagenesses.exe"C:\Users\Admin\AppData\Local\Temp\a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe"3⤵PID:3048
-
-
C:\Users\Admin\AppData\Local\parachronism\savagenesses.exe"C:\Users\Admin\AppData\Local\parachronism\savagenesses.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\parachronism\savagenesses.exe"4⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:880
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD502cb391fa991f4a7c4288b2636b3f432
SHA192c161c146b6d8b5f08976aefbb1b88ae2937ddb
SHA25632960f8fc3a5cda77afd30fe66dedd132446acd360fc42b16c3f3cbd541d43a8
SHA512818f4c28fe7d12531ea19c7df4b46ea1d1296ac6d7d922bcababc456bd295089a6e4977487dbe801ce205aab017d7c2e1b318392e9aa9bf5d912a6d0db767718
-
Filesize
242KB
MD5efa36559459d8a95d5d29596030bb9cb
SHA1dd4292faa0dc9430ab8a56ebaa29e3de2169e20d
SHA256cf2cd6d65a7e9be25f5fcdbbb17d69142fe1af0295a9b43328db77e91a94067c
SHA512cef22a7688400302f337d27f27697da7c7f4bbac78b7c7c0b302b69fe9113399b12a8f0fb94639209442c530a5e24fba5c939af4f5ac1e0c7c0a91a355c47ec0
-
Filesize
242KB
MD5ecccfccb8eed72dfef546a9a0369cb4d
SHA14e63476c67d038f5714742fa203a5d07edf00779
SHA25683ad02f507b9b4e0e025017eaba581a869c7dadaa3370c441da280235deb8b56
SHA512736dd0e323a9dd0f6b073bee5816775bc0e9b6713d3ac4c4d4adf2b0f2c767d6d5ae134aed050cd2d2afc143923559cc0b915155115a287496595392e9a949a2
-
Filesize
242KB
MD5b10252caed8752b40a23d52d5ef8dd81
SHA1f477f0eb1288d703f3118842819f8160ec156600
SHA256579636708a1e25eabb7ef55fe0026a56cc71c6ad7ecb6af45d7d5a7497e3be1d
SHA5125ebd9ff7fea2d9ea7b7a0e5aedfeb3c2818f242dd0dc5a28bf47791d9cce26fe84e1174223dfcf8ff989973f6064ed0dc4e05cddc0ddee0705778f4996170e15
-
Filesize
58KB
MD52533f891e58ed20a758e7d7694e14cce
SHA189058b25ad725522939f4d1a66cd53d706ae124b
SHA256bd1f6f108b7d53e1274736692946d1fa28e51cafa3320912edced0258ec90f6c
SHA512f35ced1276857655c358f6e7f5600cd2f9c89c20d9ac6ab3b0c4bed45c816c730ecee0f0012268c846faf7236e3e245327c7f2405cff69f8660a812a2b940747
-
Filesize
1.1MB
MD5909a37e97faff915cd4906fe7684ec63
SHA15ae37a8ae70e36e9cf4f9e8895045f77eca11c51
SHA256a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f
SHA51258bb45c2d55b4602852c0921f9aa39f3a09645689beea49b7408ce44da75eb9f9701effc765f3808e8d79eaefa9fc49531719e3d334d1d21e54ca35f78cac25d