Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
30/01/2025, 19:48
Behavioral task
behavioral1
Sample
2025-01-30_0b9813ba7c9c24c60248df65acafed74_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2025-01-30_0b9813ba7c9c24c60248df65acafed74_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
Resource
win10v2004-20250129-en
General
-
Target
2025-01-30_0b9813ba7c9c24c60248df65acafed74_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
-
Size
9.9MB
-
MD5
0b9813ba7c9c24c60248df65acafed74
-
SHA1
68ca5babf075ae2a481cfedad74e7900c90770ce
-
SHA256
eee6d0bb8d7461d05443ff132fda515fb7b3389ac450ba0ee38805dd2e52d897
-
SHA512
08a9c9e929a40f8f790e3149b654b4aa12e42f6e036a1210f6912ed7532d071cf76d2c57bc0e25696f37a3de5d3f6a5b21a1671c39b6318834cc508d9913425d
-
SSDEEP
98304:ecU36mIZIuKdcV7aqmhA0oL3uFE/LIgNBDLU+KH:ec4IZI85mhA0A+2zFhKH
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe" 2025-01-30_0b9813ba7c9c24c60248df65acafed74_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3456 2025-01-30_0b9813ba7c9c24c60248df65acafed74_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3456 wrote to memory of 4864 3456 2025-01-30_0b9813ba7c9c24c60248df65acafed74_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe 85 PID 3456 wrote to memory of 4864 3456 2025-01-30_0b9813ba7c9c24c60248df65acafed74_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe 85 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4864 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-30_0b9813ba7c9c24c60248df65acafed74_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-30_0b9813ba7c9c24c60248df65acafed74_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Local\Temp\2025-01-30_0b9813ba7c9c24c60248df65acafed74_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe2⤵
- Views/modifies file attributes
PID:4864
-