Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25/01/2021, 08:35
Static task
static1
Behavioral task
behavioral1
Sample
m)hhm.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
m)hhm.exe
Resource
win10v20201028
General
-
Target
m)hhm.exe
-
Size
3.5MB
-
MD5
6bc5f53d4082f12dd83aca45bae81e64
-
SHA1
1fb4cd155393db202b0ceed59ff49a10329b2592
-
SHA256
f868e88eb2524d15cfcd87afdf697074e0f9785792f342044501347dce549a1f
-
SHA512
05b430fe0a57373098e648fa19e3ef47b5e64ecb6fca414e8b7b66c23d7c6da626f6ac3c15115edde4421344b0ead7a6ea015791f42d853fe14af631cbca831e
Malware Config
Extracted
zebrocy
http://89.37.226.148/technet-support/library/online-service-description.php?id_name=
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driveupd = "C:\\Users\\Admin\\AppData\\Roaming\\\\Identities\\\\{83AF1378-986F-1673-091A-02681FA62C3B}\\\\w32srv.exe" reg.exe -
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
pid Process 1560 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 336 tasklist.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 1264 systeminfo.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 4 Go-http-client/1.1 -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1156 reg.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 336 tasklist.exe Token: SeIncreaseQuotaPrivilege 1560 WMIC.exe Token: SeSecurityPrivilege 1560 WMIC.exe Token: SeTakeOwnershipPrivilege 1560 WMIC.exe Token: SeLoadDriverPrivilege 1560 WMIC.exe Token: SeSystemProfilePrivilege 1560 WMIC.exe Token: SeSystemtimePrivilege 1560 WMIC.exe Token: SeProfSingleProcessPrivilege 1560 WMIC.exe Token: SeIncBasePriorityPrivilege 1560 WMIC.exe Token: SeCreatePagefilePrivilege 1560 WMIC.exe Token: SeBackupPrivilege 1560 WMIC.exe Token: SeRestorePrivilege 1560 WMIC.exe Token: SeShutdownPrivilege 1560 WMIC.exe Token: SeDebugPrivilege 1560 WMIC.exe Token: SeSystemEnvironmentPrivilege 1560 WMIC.exe Token: SeRemoteShutdownPrivilege 1560 WMIC.exe Token: SeUndockPrivilege 1560 WMIC.exe Token: SeManageVolumePrivilege 1560 WMIC.exe Token: 33 1560 WMIC.exe Token: 34 1560 WMIC.exe Token: 35 1560 WMIC.exe Token: SeIncreaseQuotaPrivilege 1560 WMIC.exe Token: SeSecurityPrivilege 1560 WMIC.exe Token: SeTakeOwnershipPrivilege 1560 WMIC.exe Token: SeLoadDriverPrivilege 1560 WMIC.exe Token: SeSystemProfilePrivilege 1560 WMIC.exe Token: SeSystemtimePrivilege 1560 WMIC.exe Token: SeProfSingleProcessPrivilege 1560 WMIC.exe Token: SeIncBasePriorityPrivilege 1560 WMIC.exe Token: SeCreatePagefilePrivilege 1560 WMIC.exe Token: SeBackupPrivilege 1560 WMIC.exe Token: SeRestorePrivilege 1560 WMIC.exe Token: SeShutdownPrivilege 1560 WMIC.exe Token: SeDebugPrivilege 1560 WMIC.exe Token: SeSystemEnvironmentPrivilege 1560 WMIC.exe Token: SeRemoteShutdownPrivilege 1560 WMIC.exe Token: SeUndockPrivilege 1560 WMIC.exe Token: SeManageVolumePrivilege 1560 WMIC.exe Token: 33 1560 WMIC.exe Token: 34 1560 WMIC.exe Token: 35 1560 WMIC.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1652 wrote to memory of 2032 1652 m)hhm.exe 25 PID 1652 wrote to memory of 2032 1652 m)hhm.exe 25 PID 1652 wrote to memory of 2032 1652 m)hhm.exe 25 PID 1652 wrote to memory of 2032 1652 m)hhm.exe 25 PID 1652 wrote to memory of 1264 1652 m)hhm.exe 29 PID 1652 wrote to memory of 1264 1652 m)hhm.exe 29 PID 1652 wrote to memory of 1264 1652 m)hhm.exe 29 PID 1652 wrote to memory of 1264 1652 m)hhm.exe 29 PID 1652 wrote to memory of 336 1652 m)hhm.exe 35 PID 1652 wrote to memory of 336 1652 m)hhm.exe 35 PID 1652 wrote to memory of 336 1652 m)hhm.exe 35 PID 1652 wrote to memory of 336 1652 m)hhm.exe 35 PID 1652 wrote to memory of 1164 1652 m)hhm.exe 37 PID 1652 wrote to memory of 1164 1652 m)hhm.exe 37 PID 1652 wrote to memory of 1164 1652 m)hhm.exe 37 PID 1652 wrote to memory of 1164 1652 m)hhm.exe 37 PID 1164 wrote to memory of 1560 1164 cmd.exe 39 PID 1164 wrote to memory of 1560 1164 cmd.exe 39 PID 1164 wrote to memory of 1560 1164 cmd.exe 39 PID 1164 wrote to memory of 1560 1164 cmd.exe 39 PID 1652 wrote to memory of 596 1652 m)hhm.exe 40 PID 1652 wrote to memory of 596 1652 m)hhm.exe 40 PID 1652 wrote to memory of 596 1652 m)hhm.exe 40 PID 1652 wrote to memory of 596 1652 m)hhm.exe 40 PID 1652 wrote to memory of 1816 1652 m)hhm.exe 42 PID 1652 wrote to memory of 1816 1652 m)hhm.exe 42 PID 1652 wrote to memory of 1816 1652 m)hhm.exe 42 PID 1652 wrote to memory of 1816 1652 m)hhm.exe 42 PID 1816 wrote to memory of 1156 1816 cmd.exe 44 PID 1816 wrote to memory of 1156 1816 cmd.exe 44 PID 1816 wrote to memory of 1156 1816 cmd.exe 44 PID 1816 wrote to memory of 1156 1816 cmd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\m)hhm.exe"C:\Users\Admin\AppData\Local\Temp\m)hhm.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\cmd.execmd /C VOL2⤵PID:2032
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:1264
-
-
C:\Windows\SysWOW64\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:336
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic logicaldisk get caption,description,drivetype,providername,size"2⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic logicaldisk get caption,description,drivetype,providername,size3⤵
- Collects information from the system
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C C:\Users\Admin\AppData\Roaming\\Identities\\{83AF1378-986F-1673-091A-02681FA62C3B}\\w32srv.exe2⤵PID:596
-
-
C:\Windows\SysWOW64\cmd.execmd /C "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Driveupd /d C:\Users\Admin\AppData\Roaming\\Identities\\{83AF1378-986F-1673-091A-02681FA62C3B}\\w32srv.exe /f"2⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Driveupd /d C:\Users\Admin\AppData\Roaming\\Identities\\{83AF1378-986F-1673-091A-02681FA62C3B}\\w32srv.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:1156
-
-