Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
31/01/2025, 08:18
Static task
static1
Behavioral task
behavioral1
Sample
FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe
Resource
win10v2004-20250129-en
General
-
Target
FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe
-
Size
26KB
-
MD5
c4b6e9359dac142bc8669819f9bf6092
-
SHA1
32e7b0d35ddc72c5781825d303941d5ea17ae828
-
SHA256
96a7766f5d19b90a2818078ea5d88c40dfa121fd812216cf5cba3b48e0708b79
-
SHA512
ffc1648f771e4af44dd0327084b301036503c7c5d4f0929b543ed6588a7ff0597e5f6d49f03edea8458ba301f9d6b4f155b7a8de75fb1cf5e410369c51394f97
-
SSDEEP
384:LjLHvSSTjrknoQlgaYG3lzH0vkLV0MteGv6H6GkncKxX+:LHvSPo8gBoV09GW6GAcKxX+
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtps.aruba.it - Port:
465 - Username:
[email protected] - Password:
tecninf2017 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/1060-15-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Snakekeylogger family
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783 = "C:\\Users\\Admin\\Documents\\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.pif" reg.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 checkip.dyndns.org 20 reallyfreegeoip.org 21 reallyfreegeoip.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2536 set thread context of 1060 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 1060 RegAsm.exe 1060 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe Token: SeDebugPrivilege 1060 RegAsm.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2536 wrote to memory of 3476 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 87 PID 2536 wrote to memory of 3476 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 87 PID 2536 wrote to memory of 3476 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 87 PID 3476 wrote to memory of 232 3476 cmd.exe 89 PID 3476 wrote to memory of 232 3476 cmd.exe 89 PID 3476 wrote to memory of 232 3476 cmd.exe 89 PID 2536 wrote to memory of 3948 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 90 PID 2536 wrote to memory of 3948 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 90 PID 2536 wrote to memory of 3948 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 90 PID 2536 wrote to memory of 1060 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 92 PID 2536 wrote to memory of 1060 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 92 PID 2536 wrote to memory of 1060 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 92 PID 2536 wrote to memory of 1060 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 92 PID 2536 wrote to memory of 1060 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 92 PID 2536 wrote to memory of 1060 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 92 PID 2536 wrote to memory of 1060 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 92 PID 2536 wrote to memory of 1060 2536 FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe 92 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "FACTURA NAVLU 246735688 30.01.25 DSV 4500728783" /t REG_SZ /F /D "C:\Users\Admin\Documents\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.pif"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "FACTURA NAVLU 246735688 30.01.25 DSV 4500728783" /t REG_SZ /F /D "C:\Users\Admin\Documents\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.pif"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:232
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c Copy "C:\Users\Admin\AppData\Local\Temp\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.exe" "C:\Users\Admin\Documents\FACTURA NAVLU 246735688 30.01.25 DSV 4500728783.pif"2⤵
- System Location Discovery: System Language Discovery
PID:3948
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1060
-