Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31/01/2025, 08:18
Static task
static1
Behavioral task
behavioral1
Sample
FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe
Resource
win10v2004-20250129-en
General
-
Target
FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe
-
Size
26KB
-
MD5
c4b6e9359dac142bc8669819f9bf6092
-
SHA1
32e7b0d35ddc72c5781825d303941d5ea17ae828
-
SHA256
96a7766f5d19b90a2818078ea5d88c40dfa121fd812216cf5cba3b48e0708b79
-
SHA512
ffc1648f771e4af44dd0327084b301036503c7c5d4f0929b543ed6588a7ff0597e5f6d49f03edea8458ba301f9d6b4f155b7a8de75fb1cf5e410369c51394f97
-
SSDEEP
384:LjLHvSSTjrknoQlgaYG3lzH0vkLV0MteGv6H6GkncKxX+:LHvSPo8gBoV09GW6GAcKxX+
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtps.aruba.it - Port:
465 - Username:
[email protected] - Password:
tecninf2017 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
resource yara_rule behavioral1/memory/2252-20-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2252-22-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2252-14-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2252-12-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2252-18-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Snakekeylogger family
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783 = "C:\\Users\\Admin\\Documents\\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.pif" reg.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 checkip.dyndns.org 10 reallyfreegeoip.org 11 reallyfreegeoip.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2004 set thread context of 2252 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 35 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2252 RegAsm.exe 2252 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe Token: SeDebugPrivilege 2252 RegAsm.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2004 wrote to memory of 2920 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 30 PID 2004 wrote to memory of 2920 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 30 PID 2004 wrote to memory of 2920 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 30 PID 2004 wrote to memory of 2920 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 30 PID 2920 wrote to memory of 2096 2920 cmd.exe 32 PID 2920 wrote to memory of 2096 2920 cmd.exe 32 PID 2920 wrote to memory of 2096 2920 cmd.exe 32 PID 2920 wrote to memory of 2096 2920 cmd.exe 32 PID 2004 wrote to memory of 2880 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 33 PID 2004 wrote to memory of 2880 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 33 PID 2004 wrote to memory of 2880 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 33 PID 2004 wrote to memory of 2880 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 33 PID 2004 wrote to memory of 2252 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 35 PID 2004 wrote to memory of 2252 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 35 PID 2004 wrote to memory of 2252 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 35 PID 2004 wrote to memory of 2252 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 35 PID 2004 wrote to memory of 2252 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 35 PID 2004 wrote to memory of 2252 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 35 PID 2004 wrote to memory of 2252 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 35 PID 2004 wrote to memory of 2252 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 35 PID 2004 wrote to memory of 2252 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 35 PID 2004 wrote to memory of 2252 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 35 PID 2004 wrote to memory of 2252 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 35 PID 2004 wrote to memory of 2252 2004 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 35 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "FACTURA NAVLU 246735688 30.01.25 DSV 4500728783" /t REG_SZ /F /D "C:\Users\Admin\Documents\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.pif"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "FACTURA NAVLU 246735688 30.01.25 DSV 4500728783" /t REG_SZ /F /D "C:\Users\Admin\Documents\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.pif"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2096
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c Copy "C:\Users\Admin\AppData\Local\Temp\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe" "C:\Users\Admin\Documents\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.pif"2⤵
- System Location Discovery: System Language Discovery
PID:2880
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2252
-