Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
137s -
platform
windows10_x64 -
resource
win10 -
submitted
08/07/2020, 10:13
Static task
static1
Behavioral task
behavioral2
Sample
SOA.exe
Resource
win10
General
-
Target
SOA.exe
-
Size
400KB
-
MD5
90003ac64105d46135fa50dd89d2de04
-
SHA1
49a7177b4dca23eb1e42b1a009d3bc762a0c90db
-
SHA256
b9fbd47b1c2b112277e35d94b125107262e9fba1dfe33bcd3842795432bc78d5
-
SHA512
4e55b099b6376fbe3dd51f3a55b5c2587076b97f7ee802965923aab6164b0d3758b6d88155bf4ca80af91748daa89e377e1a267a73711db19fc475d06102e08d
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
[email protected] - Password:
@jaffinmarknma@344
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions SOA.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SOA.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 SOA.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2904 schtasks.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2460 wrote to memory of 2904 2460 SOA.exe 70 PID 2460 wrote to memory of 2904 2460 SOA.exe 70 PID 2460 wrote to memory of 2904 2460 SOA.exe 70 PID 2460 wrote to memory of 3264 2460 SOA.exe 72 PID 2460 wrote to memory of 3264 2460 SOA.exe 72 PID 2460 wrote to memory of 3264 2460 SOA.exe 72 PID 2460 wrote to memory of 3264 2460 SOA.exe 72 PID 2460 wrote to memory of 3264 2460 SOA.exe 72 PID 2460 wrote to memory of 3264 2460 SOA.exe 72 PID 2460 wrote to memory of 3264 2460 SOA.exe 72 PID 2460 wrote to memory of 3264 2460 SOA.exe 72 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2460 set thread context of 3264 2460 SOA.exe 72 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3264 SOA.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3264 SOA.exe 3264 SOA.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SOA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SOA.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools SOA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"C:\Users\Admin\AppData\Local\Temp\SOA.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Checks BIOS information in registry
- Looks for VMWare Tools registry key
PID:2460 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HEJtLPiuhcJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE2F8.tmp"2⤵
- Creates scheduled task(s)
PID:2904
-
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"C:\Users\Admin\AppData\Local\Temp\SOA.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3264
-