Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09/09/2022, 11:47
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
General
-
Target
tmp.exe
-
Size
1.1MB
-
MD5
911b41caf07e1358460415fe7ddc9ba5
-
SHA1
2a2e2120055b91824166b4cbecb86b25cab7a6f1
-
SHA256
4562af450cbc44c9ddf59509c802f83abcc2dc66a2eccc0b734ea7ceded60522
-
SHA512
92f5410901ce62f81bd2d1e0e86cd3492b05fcf415a271e9784994239296b3001e1a53b5ff176d1c3cc09fa42ae1e0c379cada397c74d7e232590e048938b80d
-
SSDEEP
12288:imIFTT41hw4e/ehLrz9+maNmNR734hodpBXk8jB6rSDdrCsv6ySk1hw4e/:lIF/L4LJwNmNYqpBXXQCOsvu4
Malware Config
Extracted
formbook
nytc
xxa3lYw6m81Pd//kzzAdG4U=
YXZAfGEJkwXABM5TR/E=
hUbaOQOt0DYguI9XS8pwJrEZWmU=
A/ygqm4Kfa0kUcnqnsJDp+zEWGM=
RORz56hFPHnrLO2iW0+9
iqg4UizXgbNRcvmiW0+9
VRTafWQvdNtipVkn5VtZyrF/+rnbCQ==
gQueRkb7G4Z/Jvu3qBQZNo8=
ePKbHxG8f76FOQesODERPA==
fHESMDnjE3MqK+7b
0k/peV8LzCGeqzU7ODERPA==
cTQPl24ePactS+KiW0+9
pjTaSRTKnctzqirmZx/oa3X0tg==
aAWYMRriqLzAA85TR/E=
tDgT5cRmmQqRpFrkpR+4
drFaFOGXywjGUxzL9wm++AOs
Okbd//qcDXIbai4QB7WKaH+p6bEPPfgV
ae/IhkTwKWcXT9mY6A+++AOs
eEbmHeuHEHk4xoclVxQZNo8=
C2I8W0/9c+jsDk/CmEn8Ng==
ry/EZmEbH0rH63dXvN2++AOs
AADLF9yGZJH3K+eiW0+9
rCbdbVkNyB2TzqtgF71RW7rWIZgK+eo=
BJ8sDcp9mwB+u4CHKEk/pL7aIZgK+eo=
3OuEq7ZYt+hjeQsOA2RUSJY=
boZiuIIoE4lEce2oODERPA==
G6ByPxnTBGfsLe2iW0+9
jINQlGov7EjBus93QQ==
0O6VupxB6SXLGOOiW0+9
2iu0zDhIO54j
0QChYyLgaM90pTs6ODERPA==
8/ybkmkGQZxqQ9PR
z8XkyB8NDWgh
aKdbJgKhzwiv12gkYdmELIk=
u/yOdFgEb8SDwY4uMeg=
z8w23YcnbsRFbe6vGUoFa3X0tg==
NmoXAfmd0TAcu41LNem42ztIz5gK+eo=
hBratpddC3NjC9TuJ9RXa3X0tg==
Juh/8OSwF4gJRg==
VfGUJu/Mc6Mp
A4ITqY4wKYNLus93QQ==
JCG7x6dfHjPwc/bZ
EdaBzZQ3JY5Ous93QQ==
235QGeKP1y6n0DQ/ODERPA==
UZxtZSTHPaVVgwjF/ua7SiSk
9AFtGdVzvCujtD8wqVw2bJg=
QhqpDe+blfbCQMe4v2QrUezEWGM=
HmYtW0L1p8qMohc=
LbA/rnQqLIOMus93QQ==
gPXEgzXhV+1qn20UHpt/Zf2q
fQzYwYksqRjVC85TR/E=
GW0wUTLklL101umkXA==
UJZFLw/vPUGKus93QQ==
yk3zbS3Bpt3EbS0fodu++AOs
7DK+kHMcbNdRdTS9NRwPOg==
kqJomFojH1HK4WRRvt2++AOs
AHobjWALA3ZqQ9PR
Ly3D+YMxn8RCewTJfJITKw==
ylTsgHo3IVbN62EPjEDnJQ==
fBSjD86IwTHq4rHG
26JHbEDhTbzCHM/M
KgrHRAarpAu3Cs6nODERPA==
6Oyeq4NkbL80
RsafbzzxMYkBPjrpYla/
primerleague.com
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation tmp.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1676 set thread context of 2004 1676 tmp.exe 28 PID 2004 set thread context of 1212 2004 tmp.exe 14 PID 1984 set thread context of 1212 1984 NETSTAT.EXE 14 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1984 NETSTAT.EXE -
description ioc Process Key created \Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2004 tmp.exe 2004 tmp.exe 2004 tmp.exe 2004 tmp.exe 1984 NETSTAT.EXE 1984 NETSTAT.EXE 1984 NETSTAT.EXE 1984 NETSTAT.EXE 1984 NETSTAT.EXE 1984 NETSTAT.EXE 1984 NETSTAT.EXE 1984 NETSTAT.EXE 1984 NETSTAT.EXE 1984 NETSTAT.EXE 1984 NETSTAT.EXE 1984 NETSTAT.EXE 1984 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2004 tmp.exe 2004 tmp.exe 2004 tmp.exe 1984 NETSTAT.EXE 1984 NETSTAT.EXE 1984 NETSTAT.EXE 1984 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2004 tmp.exe Token: SeDebugPrivilege 1984 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1676 wrote to memory of 2004 1676 tmp.exe 28 PID 1676 wrote to memory of 2004 1676 tmp.exe 28 PID 1676 wrote to memory of 2004 1676 tmp.exe 28 PID 1676 wrote to memory of 2004 1676 tmp.exe 28 PID 1676 wrote to memory of 2004 1676 tmp.exe 28 PID 1676 wrote to memory of 2004 1676 tmp.exe 28 PID 1676 wrote to memory of 2004 1676 tmp.exe 28 PID 1212 wrote to memory of 1984 1212 Explorer.EXE 29 PID 1212 wrote to memory of 1984 1212 Explorer.EXE 29 PID 1212 wrote to memory of 1984 1212 Explorer.EXE 29 PID 1212 wrote to memory of 1984 1212 Explorer.EXE 29 PID 1984 wrote to memory of 1152 1984 NETSTAT.EXE 31 PID 1984 wrote to memory of 1152 1984 NETSTAT.EXE 31 PID 1984 wrote to memory of 1152 1984 NETSTAT.EXE 31 PID 1984 wrote to memory of 1152 1984 NETSTAT.EXE 31 PID 1984 wrote to memory of 1152 1984 NETSTAT.EXE 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1152
-
-