Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2022, 18:31
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe
-
Size
717KB
-
MD5
89fef8743b5316bdd7724624549ebacb
-
SHA1
08a4bd1529eab7818a43f70a65e9e2651c4da1b3
-
SHA256
d8da845a8c898905376711802d16926d683a4802f5328260a85deb21541280f3
-
SHA512
b92fe1dc5c674fa167f20dbb7ea4203b12ecb612d5c6668e48884180318165ff759e9b22df4100cce649e3431adb13a33a297be7ecbc96af99948bb37e00f508
-
SSDEEP
12288:51NKGD8fDPkdlL2qzhumqAPZASnCOuCtr/S0YrUmDf6/rUXJBX71YMtDRV:NKGoMzmAPZASnTuOa4if6/4XnJYMF
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1044 set thread context of 4404 1044 SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe 91 PID 4404 set thread context of 2584 4404 MSBuild.exe 43 PID 3592 set thread context of 2584 3592 cmstp.exe 43 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3496 3872 WerFault.exe 94 -
description ioc Process Key created \Registry\User\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmstp.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 1204 powershell.exe 1204 powershell.exe 1044 SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe 1044 SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2584 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe 3592 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1044 SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe Token: SeDebugPrivilege 1204 powershell.exe Token: SeDebugPrivilege 4404 MSBuild.exe Token: SeDebugPrivilege 3592 cmstp.exe Token: SeShutdownPrivilege 2584 Explorer.EXE Token: SeCreatePagefilePrivilege 2584 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1044 wrote to memory of 1204 1044 SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe 82 PID 1044 wrote to memory of 1204 1044 SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe 82 PID 1044 wrote to memory of 1204 1044 SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe 82 PID 1044 wrote to memory of 2336 1044 SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe 90 PID 1044 wrote to memory of 2336 1044 SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe 90 PID 1044 wrote to memory of 2336 1044 SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe 90 PID 1044 wrote to memory of 4404 1044 SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe 91 PID 1044 wrote to memory of 4404 1044 SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe 91 PID 1044 wrote to memory of 4404 1044 SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe 91 PID 1044 wrote to memory of 4404 1044 SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe 91 PID 1044 wrote to memory of 4404 1044 SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe 91 PID 1044 wrote to memory of 4404 1044 SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe 91 PID 2584 wrote to memory of 3592 2584 Explorer.EXE 92 PID 2584 wrote to memory of 3592 2584 Explorer.EXE 92 PID 2584 wrote to memory of 3592 2584 Explorer.EXE 92 PID 3592 wrote to memory of 3872 3592 cmstp.exe 94 PID 3592 wrote to memory of 3872 3592 cmstp.exe 94 PID 3592 wrote to memory of 3872 3592 cmstp.exe 94
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.MSILHeracles.56954.26916.8636.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe purecrypter.exe3⤵PID:2336
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe purecrypter.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:3872
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3872 -s 1284⤵
- Program crash
PID:3496
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 412 -p 3872 -ip 38721⤵PID:4960