Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
159s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26/06/2022, 22:51
Static task
static1
Behavioral task
behavioral1
Sample
b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe
Resource
win10v2004-20220414-en
General
-
Target
b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe
-
Size
16KB
-
MD5
69883cd448e52fa2ffcd181f5b767665
-
SHA1
6f20034d07e405929e58187f8373bfca80778d88
-
SHA256
b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1
-
SHA512
6dc0cf81015cf441549757a4c9c0d83d9079599e598248c90c9d00d6f07721f848fcc89db216f10bae5f3086acf923b1712c4f4adaa80da7d7129ce277959df6
Malware Config
Signatures
-
LoaderBot executable 1 IoCs
resource yara_rule behavioral2/memory/4572-130-0x0000000000C50000-0x0000000000C5A000-memory.dmp loaderbot -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe" b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe" b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4656 schtasks.exe 4980 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4572 b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe 3976 b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4572 b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4572 b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe Token: SeDebugPrivilege 3976 b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4572 wrote to memory of 4220 4572 b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe 83 PID 4572 wrote to memory of 4220 4572 b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe 83 PID 4572 wrote to memory of 4220 4572 b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe 83 PID 4220 wrote to memory of 4656 4220 cmd.exe 85 PID 4220 wrote to memory of 4656 4220 cmd.exe 85 PID 4220 wrote to memory of 4656 4220 cmd.exe 85 PID 3976 wrote to memory of 3084 3976 b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe 93 PID 3976 wrote to memory of 3084 3976 b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe 93 PID 3976 wrote to memory of 3084 3976 b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe 93 PID 3084 wrote to memory of 4980 3084 cmd.exe 95 PID 3084 wrote to memory of 4980 3084 cmd.exe 95 PID 3084 wrote to memory of 4980 3084 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe"C:\Users\Admin\AppData\Local\Temp\b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f3⤵
- Creates scheduled task(s)
PID:4656
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exeC:\Users\Admin\AppData\Roaming\Windows\b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\b038f02fce2c8584b6d610ef74cd884821c14570c388f441270ba0efef9ff7e1.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f3⤵
- Creates scheduled task(s)
PID:4980
-
-