Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
31/01/2025, 08:18
General
-
Target
FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe
-
Size
26KB
-
MD5
c4b6e9359dac142bc8669819f9bf6092
-
SHA1
32e7b0d35ddc72c5781825d303941d5ea17ae828
-
SHA256
96a7766f5d19b90a2818078ea5d88c40dfa121fd812216cf5cba3b48e0708b79
-
SHA512
ffc1648f771e4af44dd0327084b301036503c7c5d4f0929b543ed6588a7ff0597e5f6d49f03edea8458ba301f9d6b4f155b7a8de75fb1cf5e410369c51394f97
-
SSDEEP
384:LjLHvSSTjrknoQlgaYG3lzH0vkLV0MteGv6H6GkncKxX+:LHvSPo8gBoV09GW6GAcKxX+
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtps.aruba.it - Port:
465 - Username:
[email protected] - Password:
tecninf2017 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
-
Snakekeylogger family
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "FACTURA NAVLU 246735688 30.01.25 DSV 4500728783" /t REG_SZ /F /D "C:\Users\Admin\Documents\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.pif"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "FACTURA NAVLU 246735688 30.01.25 DSV 4500728783" /t REG_SZ /F /D "C:\Users\Admin\Documents\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.pif"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c Copy "C:\Users\Admin\AppData\Local\Temp\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe" "C:\Users\Admin\Documents\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.pif"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.9MB
-
Filesize
48KB
-
Filesize
6.9MB
-
Filesize
912KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
152KB
-
Filesize
4KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB