Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
26/02/2025, 18:04
General
-
Target
WinWord.exe
-
Size
6.9MB
-
MD5
389390bf696737deedaaf10a90d407d1
-
SHA1
87758da2fe832f302032e904eb13994c70023825
-
SHA256
d3f31c512033046c4209c5af1352f3ce36d1af39f84946c22ca3e25da6539734
-
SHA512
4b1ff3b939a22250222afc6ded49e636b76cc602ea67a587a70dac2deafabf5446f1eb27feb688b3d7759b9b4bcd46f016c8f98b42cba29920045031da6551b0
-
SSDEEP
196608:I/9sLB5t3JJQGR2nroh1L9cDIw4v6N+ED6JwtPnoDAMzvaqx/D:u6tdJ2rIcIw4vjbJCfoF+KD
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1038709348303650857/DLQdA51dlH2mWOgr-jjNC0jvu25-oWapgKwxpsqsFwOSYLm4gQOEdFE6XXg7_sReK0AB
Signatures
-
DarkTrack
DarkTrack is a remote administration tool written in delphi.
-
DarkTrack payload 10 IoCs
-
Darktrack family
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Stealerium family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 8 IoCs
-
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 8 IoCs
-
Modifies file permissions 1 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\WinWord.exe"C:\Users\Admin\AppData\Local\Temp\WinWord.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Hgmuvfd.exe"C:\Users\Admin\AppData\Local\Temp\Hgmuvfd.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Hgmuvfd.exe"C:\Users\Admin\AppData\Local\Temp\Hgmuvfd.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\Djejga.exe"C:\Users\Admin\AppData\Local\Temp\Djejga.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Djejga.exe"C:\Users\Admin\AppData\Local\Temp\Djejga.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\ctfmon.exe"C:\Users\Admin\AppData\Roaming\ctfmon.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\ctfmon.exe"C:\Users\Admin\AppData\Roaming\ctfmon.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Kgnzgrpvr.exe"C:\Users\Admin\AppData\Local\Temp\Kgnzgrpvr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\Certificates" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Certificates" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Certificates" /inheritance:e /deny "Admin:(R,REA,RA,RD)"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Certificates" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Certificates" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Certificates" /inheritance:e /deny "Admin:(R,REA,RA,RD)"4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Lmfekeldirxz.exe"C:\Users\Admin\AppData\Local\Temp\Lmfekeldirxz.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpBAE6.tmp.bat3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 5364⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak4⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {5A8D14C0-6CE5-4E6B-BEC4-A62F93D9085C} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]1⤵
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD5636613c40c1b5affc836b6d8608c78f4
SHA193b49a30a30fe5d44bc2682fa1cd611459fd99db
SHA256d00a935f81c1a3ff358c7cef5783bbbe380287b5ed8a7e87097418bf48eb3be2
SHA5121705d9d593e4c6f173a5f617246fe94bbf44de02e6a940492b60adbb7abec1c32086744440827d6a508bd7baec87f653d59561b4d79a22c1554e686302ba7c68
-
Filesize
224KB
MD514bc123a8209f7c21aacea4cd179fbec
SHA1e602df06e8f03dfa99d5234544e93c63f45ab97b
SHA256eeb5a75e3231ee95a2340be3767ca41c3aec92c2d46b90f1d67fdfec0d254f7e
SHA51263b71f24b5876432d80de7eff3a78d40d308baf208566945f6a331f4254aff886a18763d6becc503dda02bfd251588221c9a10a59fd96d495ed4e205d06ad6dd
-
Filesize
56B
MD5b57d7c9cc4f2add16780a8503ef17d13
SHA15b5b436b17e50f485b29d73538637a918625b557
SHA256b5c48fe1a2566eedc56d691330702a338ece96a43a996c3fc566924ab10856aa
SHA512088de4cacba806e00d875c914a652cdd164f8c9a62525a9eab1a374f57aefc599ee841164e1380000971ed5745c14608ad2470868ba491039b7dca04b0df7617
-
Filesize
2.1MB
MD578d3152616dedb9801ce61015324ae8a
SHA1e8a31f392db771e8ca7759c11de53519a48e0fc0
SHA25698d8fec346fc1865dc8b620f74826f484fe9c0c705dc9d58c5f44df934a01208
SHA51220ab9c27d1b1774859adf5304f10118e63c43db978d6d884aa1deb5c53b1884d5529350a3f0d8fd66b0d99dc19653c431d5f508b0ebc718783bd16083f52daf3
-
Filesize
652KB
MD5f9a67d8b903d4c3b27b55d1bfdd5c70c
SHA1d78b8da5b3ffdd55bd30912a36c69d5a5752fa95
SHA256e8b943f45cc37ddc9e594eb3ccc7057820f54939bd9b38b1b3703a14da52e01f
SHA51263d762e4f0fb7302c1731e8e907f2efb207be5ea7f57aa29aad2a34e7c09d0d1976ef429e1668bd0869d2f9c341ac5c1da953725c3cd83cf655875a8cdab90e3
-
Filesize
3.0MB
MD50372cb4f806947727400d1937f3e8063
SHA189aee134a5226e103f702f434a059c601eebf336
SHA2565f2b46e3cfb853b3be645309ea8378f6535bf7128e0794ff9ab2ef0972554e8a
SHA512b92f743d4fd4101bee6e6a8becba6be698f36ac83a18b0913bf0bc22d8a0ca57ea1bf659936a9398f729ed6b0f323bb437e6a67b4e0d5a79efba0baadf093fe1
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
32KB
-
Filesize
248KB
-
Filesize
4.1MB
-
Filesize
4.1MB
-
Filesize
4.1MB
-
Filesize
4.1MB
-
Filesize
4KB
-
Filesize
4.1MB
-
Filesize
8.9MB
-
Filesize
1.3MB
-
Filesize
8KB
-
Filesize
8.9MB
-
Filesize
5.1MB
-
Filesize
5.5MB
-
Filesize
8.9MB
-
Filesize
8.9MB
-
Filesize
248KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
4.1MB
-
Filesize
672KB
-
Filesize
4.1MB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
4KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB