Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    09/07/2020, 14:27

General

  • Target

    Mopigyo.exe

  • Size

    546KB

  • MD5

    790d5b40c6c93e4b5b404c61de360acc

  • SHA1

    a50f19294e5553b62f26792c43b5ee1d94efe04e

  • SHA256

    74d74e7da724014c17890327f3464b435314f480eb46553723ce0766941b38da

  • SHA512

    57bfba46ac49d674fd09332d055c9be45112dc53805e4e102f748a65b016cbc62459a7cebb257a993afb022eb9c35a33f68c5ebd4009c0979497626b4e7c6626

Malware Config

Signatures

  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Adds Run entry to policy start application 2 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Adds Run entry to start application 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SendNotifyMessage
    PID:1248
    • C:\Users\Admin\AppData\Local\Temp\Mopigyo.exe
      "C:\Users\Admin\AppData\Local\Temp\Mopigyo.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1156
      • C:\Program Files (x86)\internet explorer\ieinstal.exe
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetThreadContext
        PID:1072
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Adds Run entry to policy start application
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Adds Run entry to start application
      • Modifies Internet Explorer settings
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetThreadContext
      PID:1556
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1144

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1144-7-0x000000013F400000-0x000000013F493000-memory.dmp

      Filesize

      588KB

    • memory/1156-0-0x0000000010410000-0x000000001043D000-memory.dmp

      Filesize

      180KB

    • memory/1556-3-0x0000000000EA0000-0x0000000000EAD000-memory.dmp

      Filesize

      52KB

    • memory/1556-4-0x0000000003080000-0x00000000031DC000-memory.dmp

      Filesize

      1.4MB

    • memory/1556-5-0x00000000039F0000-0x0000000003B28000-memory.dmp

      Filesize

      1.2MB