Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04/06/2022, 10:42
Static task
static1
Behavioral task
behavioral1
Sample
10f57e196f4ee52c9627e76a48dc52a781077304d4cd59845ad3e82202a0d22b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
10f57e196f4ee52c9627e76a48dc52a781077304d4cd59845ad3e82202a0d22b.exe
Resource
win10v2004-20220414-en
General
-
Target
10f57e196f4ee52c9627e76a48dc52a781077304d4cd59845ad3e82202a0d22b.exe
-
Size
16KB
-
MD5
4297ff46922f32d58146b4721b3579b4
-
SHA1
de26508f3a79833e638b7a4255bfa081b60188e6
-
SHA256
10f57e196f4ee52c9627e76a48dc52a781077304d4cd59845ad3e82202a0d22b
-
SHA512
e27b9ab54054d0834b3926e894506cd1d37a461d3fe51d5142dc434874902f72ce9f5a084520e334535715be0ba1e61ac7966cbcf306e286fd02ad66558fc6df
Malware Config
Signatures
-
LoaderBot executable 1 IoCs
resource yara_rule behavioral2/memory/4820-130-0x00000000009C0000-0x00000000009CA000-memory.dmp loaderbot -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url 10f57e196f4ee52c9627e76a48dc52a781077304d4cd59845ad3e82202a0d22b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\10f57e196f4ee52c9627e76a48dc52a781077304d4cd59845ad3e82202a0d22b.exe" 10f57e196f4ee52c9627e76a48dc52a781077304d4cd59845ad3e82202a0d22b.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4932 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4820 10f57e196f4ee52c9627e76a48dc52a781077304d4cd59845ad3e82202a0d22b.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4820 10f57e196f4ee52c9627e76a48dc52a781077304d4cd59845ad3e82202a0d22b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4820 10f57e196f4ee52c9627e76a48dc52a781077304d4cd59845ad3e82202a0d22b.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4820 wrote to memory of 804 4820 10f57e196f4ee52c9627e76a48dc52a781077304d4cd59845ad3e82202a0d22b.exe 80 PID 4820 wrote to memory of 804 4820 10f57e196f4ee52c9627e76a48dc52a781077304d4cd59845ad3e82202a0d22b.exe 80 PID 4820 wrote to memory of 804 4820 10f57e196f4ee52c9627e76a48dc52a781077304d4cd59845ad3e82202a0d22b.exe 80 PID 804 wrote to memory of 4932 804 cmd.exe 82 PID 804 wrote to memory of 4932 804 cmd.exe 82 PID 804 wrote to memory of 4932 804 cmd.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\10f57e196f4ee52c9627e76a48dc52a781077304d4cd59845ad3e82202a0d22b.exe"C:\Users\Admin\AppData\Local\Temp\10f57e196f4ee52c9627e76a48dc52a781077304d4cd59845ad3e82202a0d22b.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\10f57e196f4ee52c9627e76a48dc52a781077304d4cd59845ad3e82202a0d22b.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f2⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\10f57e196f4ee52c9627e76a48dc52a781077304d4cd59845ad3e82202a0d22b.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f3⤵
- Creates scheduled task(s)
PID:4932
-
-