Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
49s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/11/2022, 14:13
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe
-
Size
1.1MB
-
MD5
3c21079c403687f4339a136919931ef5
-
SHA1
05bb1260bbdc0d05460f41e2423691f7c044bbe9
-
SHA256
2088000ab7a60b6d9eb519d1da9d42934e908a9724ab6977bc853d30b7f96642
-
SHA512
1285f2e9b1fb1cf2785f88514542a8bf7beeed52558fa9fb49280e2c91b1e17ccfc514435969491cbd0cd0d4f9d29e7803eec248ca43e04ebf37d5f14d05bc38
-
SSDEEP
24576:LNlitFN9lSz5iPqjiX+Iv3GytN1YeZo82E+u6Sz73JEL:LvizNCzc2I/GYNj6zup5E
Malware Config
Extracted
formbook
u6hu
OvIuZKrtOMxghbaZbvb/8h9g+Q==
mjHLVEVO8gwVeZ+7
Lh1lcZzH8pTXgpdDzV0vzyVooAsviHQ=
OzJXhMQYaQKNT1aBY/gM8h9g+Q==
WSJFbX28mK+jXVvRJofdtSc=
mEv6JdT2o7Nq++XYt8MFpx5QrhRdhA==
Wxf/NnjMRlBj6JK3jg==
nB21Q0tg7gEVeZ+7
IZinOswGUPAn51eHvCAoMetC
INxV9PYg7AQP0xyDAyg=
kkZP+Iq1AgMVeZ+7
meuru6sSaxxuoLS7gA==
y0jMTFyffedqCSRXVfm/
sJbTfRVKuQScxw==
+ecHP3ayIjYFnb7j2Pt6z5dK
uZnHRwRE9QwVeZ+7
ZBg6Sy054P4oHp0DknCx
nFXn8j4yTuJ9aOfNlw==
35ygHt8uASpReRyDAyg=
8nT3T+8eWeh6aOfNlw==
HhIzb7v+M7I5Sqnk5Gt6z5dK
Nd5UBShihWZZDA8=
CcrOdQtKpUrKSJqzig==
T/WOykxDMIU8/Q0=
XBwiL8gHqMd9JUiiX3+9
kpC3/164HctgequkvgoZQw==
enHp66c8IjQ=
aQYGrJLj3msLO5VP2WJqjW7+rhRdhA==
vDXNC+Q7VTNCCxI=
xWh0G6/2cIFB5ufaqTkHqGRN7zt5
jFLwNR5qOoU8/Q0=
IRa5/8L8vs2xLYKx
L5oor6OvWINoLTpfXvf98h9g+Q==
01FVerpZiCu82g==
IshjpT6he6Y9
UNuJ2awhgexLBRA=
kQD/IkhTZoRsfRyDAyg=
wIQ4Yy91Q3xYCDiWvgoZQw==
xJbODWKuFKgLsaGvvgoZQw==
CooPm7PhhIylxy3RGrmDFds77ARo
xHau8nb55cDT1cKz
rWTumLcgL1BSeRyDAyg=
ejPpClNWuQScxw==
oEH5T+cGGqjrNmkVmrI/bi8=
EJKwS83Y4nfe9CuKRmSu
DM2GjMuIuQScxw==
iAWaJTWEiB9Z4RyDAyg=
CtYQsdIzKoU8/Q0=
zpzF/GbBgje3aOfNlw==
F8xug9XSzeDT5pD3RF6q
FqukyevwFLkOyxyDAyg=
QjLUF95BcpCpiK24gA==
vnUTT+0UgexLBRA=
31brkKCS+H4VeZ+7
RQez61BOWa1I+Ac=
OS7mmaK7bIe4j5cqaxQJ8h9g+Q==
rlbMZ37Mq7WXSYSv/iI=
hzTCZITPnqu68El/e4XNnoPr0RJx
hVAJKOpaZsFdDxQ=
O0b/K5Upgg==
jhMiu0550a6bqAu+NYfdtSc=
e8pri9rk9lNKKYkHZe4N8h9g+Q==
7LVrhEajdHxxfRyDAyg=
52hl5Fpec9eCkvqdAiA=
cp12326.com
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Meqzxoacawt = "\"C:\\Users\\Admin\\AppData\\Roaming\\Twtrqilcly\\Meqzxoacawt.exe\"" SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2028 set thread context of 588 2028 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 472 powershell.exe 2028 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe 588 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2028 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe Token: SeDebugPrivilege 472 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2028 wrote to memory of 472 2028 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe 27 PID 2028 wrote to memory of 472 2028 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe 27 PID 2028 wrote to memory of 472 2028 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe 27 PID 2028 wrote to memory of 472 2028 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe 27 PID 2028 wrote to memory of 1064 2028 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe 29 PID 2028 wrote to memory of 1064 2028 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe 29 PID 2028 wrote to memory of 1064 2028 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe 29 PID 2028 wrote to memory of 1064 2028 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe 29 PID 2028 wrote to memory of 588 2028 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe 30 PID 2028 wrote to memory of 588 2028 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe 30 PID 2028 wrote to memory of 588 2028 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe 30 PID 2028 wrote to memory of 588 2028 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe 30 PID 2028 wrote to memory of 588 2028 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe 30 PID 2028 wrote to memory of 588 2028 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe 30 PID 2028 wrote to memory of 588 2028 SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwAzAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:472
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe2⤵PID:1064
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:588
-