Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07/06/2022, 22:04
Static task
static1
Behavioral task
behavioral1
Sample
1abd24dd38de4b9b3f650f39f55de89a429e4b3126c816b3d24406f4260e7f4d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1abd24dd38de4b9b3f650f39f55de89a429e4b3126c816b3d24406f4260e7f4d.exe
Resource
win10v2004-20220414-en
General
-
Target
1abd24dd38de4b9b3f650f39f55de89a429e4b3126c816b3d24406f4260e7f4d.exe
-
Size
16KB
-
MD5
a060d22a3a59bff0dc8c8be445150afd
-
SHA1
8a83b90ec07d18cf48a2fcffa1e2dac0a1e128c0
-
SHA256
1abd24dd38de4b9b3f650f39f55de89a429e4b3126c816b3d24406f4260e7f4d
-
SHA512
6a1b061339ce86ea1c8088905704e224d80c51923d33608d042879834306ef8460d311ea77f9a324483b48853eaf5c96099ccb705a74c67abccda5ccceec6b5e
Malware Config
Signatures
-
LoaderBot executable 1 IoCs
resource yara_rule behavioral2/memory/3748-130-0x0000000000070000-0x000000000007A000-memory.dmp loaderbot -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url 1abd24dd38de4b9b3f650f39f55de89a429e4b3126c816b3d24406f4260e7f4d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\1abd24dd38de4b9b3f650f39f55de89a429e4b3126c816b3d24406f4260e7f4d.exe" 1abd24dd38de4b9b3f650f39f55de89a429e4b3126c816b3d24406f4260e7f4d.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4768 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3748 1abd24dd38de4b9b3f650f39f55de89a429e4b3126c816b3d24406f4260e7f4d.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3748 1abd24dd38de4b9b3f650f39f55de89a429e4b3126c816b3d24406f4260e7f4d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3748 1abd24dd38de4b9b3f650f39f55de89a429e4b3126c816b3d24406f4260e7f4d.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3748 wrote to memory of 3988 3748 1abd24dd38de4b9b3f650f39f55de89a429e4b3126c816b3d24406f4260e7f4d.exe 81 PID 3748 wrote to memory of 3988 3748 1abd24dd38de4b9b3f650f39f55de89a429e4b3126c816b3d24406f4260e7f4d.exe 81 PID 3748 wrote to memory of 3988 3748 1abd24dd38de4b9b3f650f39f55de89a429e4b3126c816b3d24406f4260e7f4d.exe 81 PID 3988 wrote to memory of 4768 3988 cmd.exe 83 PID 3988 wrote to memory of 4768 3988 cmd.exe 83 PID 3988 wrote to memory of 4768 3988 cmd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\1abd24dd38de4b9b3f650f39f55de89a429e4b3126c816b3d24406f4260e7f4d.exe"C:\Users\Admin\AppData\Local\Temp\1abd24dd38de4b9b3f650f39f55de89a429e4b3126c816b3d24406f4260e7f4d.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\1abd24dd38de4b9b3f650f39f55de89a429e4b3126c816b3d24406f4260e7f4d.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\1abd24dd38de4b9b3f650f39f55de89a429e4b3126c816b3d24406f4260e7f4d.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f3⤵
- Creates scheduled task(s)
PID:4768
-
-