Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7 -
submitted
09/07/2020, 14:27
Static task
static1
Behavioral task
behavioral1
Sample
Mopigyo.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Mopigyo.exe
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
Mopigyo.exe
-
Size
546KB
-
MD5
790d5b40c6c93e4b5b404c61de360acc
-
SHA1
a50f19294e5553b62f26792c43b5ee1d94efe04e
-
SHA256
74d74e7da724014c17890327f3464b435314f480eb46553723ce0766941b38da
-
SHA512
57bfba46ac49d674fd09332d055c9be45112dc53805e4e102f748a65b016cbc62459a7cebb257a993afb022eb9c35a33f68c5ebd4009c0979497626b4e7c6626
Score
8/10
Malware Config
Signatures
-
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Adds Run entry to policy start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IPBXN4NH5JT = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe" cmmon32.exe Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmmon32.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1156 wrote to memory of 1072 1156 Mopigyo.exe 26 PID 1156 wrote to memory of 1072 1156 Mopigyo.exe 26 PID 1156 wrote to memory of 1072 1156 Mopigyo.exe 26 PID 1156 wrote to memory of 1072 1156 Mopigyo.exe 26 PID 1156 wrote to memory of 1072 1156 Mopigyo.exe 26 PID 1156 wrote to memory of 1072 1156 Mopigyo.exe 26 PID 1156 wrote to memory of 1072 1156 Mopigyo.exe 26 PID 1156 wrote to memory of 1072 1156 Mopigyo.exe 26 PID 1156 wrote to memory of 1072 1156 Mopigyo.exe 26 PID 1156 wrote to memory of 1072 1156 Mopigyo.exe 26 PID 1248 wrote to memory of 1556 1248 Explorer.EXE 27 PID 1248 wrote to memory of 1556 1248 Explorer.EXE 27 PID 1248 wrote to memory of 1556 1248 Explorer.EXE 27 PID 1248 wrote to memory of 1556 1248 Explorer.EXE 27 PID 1556 wrote to memory of 1144 1556 cmmon32.exe 28 PID 1556 wrote to memory of 1144 1556 cmmon32.exe 28 PID 1556 wrote to memory of 1144 1556 cmmon32.exe 28 PID 1556 wrote to memory of 1144 1556 cmmon32.exe 28 PID 1556 wrote to memory of 1144 1556 cmmon32.exe 28 -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1072 ieinstal.exe 1072 ieinstal.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1072 ieinstal.exe Token: SeDebugPrivilege 1556 cmmon32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc Process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmmon32.exe -
description ioc Process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1072 ieinstal.exe 1072 ieinstal.exe 1072 ieinstal.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1072 set thread context of 1248 1072 ieinstal.exe 20 PID 1556 set thread context of 1248 1556 cmmon32.exe 20 -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE 1248 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\Mopigyo.exe"C:\Users\Admin\AppData\Local\Temp\Mopigyo.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1072
-
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds Run entry to policy start application
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1556 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1144
-
-