Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Task
task1
Sample
82690874bd3b94f1aa345668c5333c8eb231721304ad6143179026b593c018f1.exe
Resource
win7
0 signatures
Task
task2
Sample
82690874bd3b94f1aa345668c5333c8eb231721304ad6143179026b593c018f1.exe
Resource
win10
0 signatures
General
-
Target
82690874bd3b94f1aa345668c5333c8eb231721304ad6143179026b593c018f1
-
Sample
191001-jp6wg36eee
-
SHA256
82690874bd3b94f1aa345668c5333c8eb231721304ad6143179026b593c018f1
Score
N/A
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx
-
Suspicious use of WriteProcessMemory 2 IoCs
at description Process procid_target 672 PID 3740 wrote to memory of 3816 82690874bd3b94f1aa345668c5333c8eb231721304ad6143179026b593c018f1.exe 38 12281 PID 2928 wrote to memory of 2840 tabletmspterm.exe 41 -
description ioc Process Mutant created Global\I145925EC 82690874bd3b94f1aa345668c5333c8eb231721304ad6143179026b593c018f1.exe Mutant created Global\I145925EC tabletmspterm.exe -
description ioc Process Mutant created Global\M145925EC 82690874bd3b94f1aa345668c5333c8eb231721304ad6143179026b593c018f1.exe Mutant created Global\M145925EC tabletmspterm.exe -
Drops file in system dir 11 IoCs
at description ioc Process 9000 File renamed C:\Users\Admin\AppData\Local\Temp\82690874bd3b94f1aa345668c5333c8eb231721304ad6143179026b593c018f1.exe => C:\Windows\SysWOW64\tabletmspterm.exe 82690874bd3b94f1aa345668c5333c8eb231721304ad6143179026b593c018f1.exe 33875 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat tabletmspterm.exe 33984 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 tabletmspterm.exe 33984 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE tabletmspterm.exe 33984 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies tabletmspterm.exe 33984 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 tabletmspterm.exe 35281 File created (read-only) C:\Windows\TEMP\22F4.tmp tabletmspterm.exe 35281 File deleted C:\Windows\Temp\22F4.tmp tabletmspterm.exe 35359 File created C:\Windows\SysWOW64\tabletmsptermb.exe tabletmspterm.exe 35359 File opened for modification C:\Windows\SysWOW64\tabletmsptermb.exe tabletmspterm.exe 35359 File deleted C:\Windows\SysWOW64\tabletmsptermb.exe tabletmspterm.exe -
Suspicious behavior: RenamesItself
-
Suspicious behavior: EnumeratesProcesses
-
emotet family
Processes
-
C:\Users\Admin\AppData\Local\Temp\82690874bd3b94f1aa345668c5333c8eb231721304ad6143179026b593c018f1.exe"C:\Users\Admin\AppData\Local\Temp\82690874bd3b94f1aa345668c5333c8eb231721304ad6143179026b593c018f1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3740
-
C:\Users\Admin\AppData\Local\Temp\82690874bd3b94f1aa345668c5333c8eb231721304ad6143179026b593c018f1.exe--794fc4a91⤵
- Emotet Mutex I
- Emotet Mutex II
- Drops file in system dir
PID:3816
-
C:\Windows\SysWOW64\tabletmspterm.exe"C:\Windows\SysWOW64\tabletmspterm.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2928
-
C:\Windows\SysWOW64\tabletmspterm.exe--356fff061⤵
- Emotet Mutex I
- Emotet Mutex II
- Drops file in system dir
PID:2840