Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2023, 16:23
Static task
static1
Behavioral task
behavioral1
Sample
OMORI.exe
Resource
win7-20220812-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
OMORI.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
OMORI.exe
-
Size
311KB
-
MD5
eea45deda253eb9640e9cb1d4ec88f61
-
SHA1
958645c598a26c97d0fa947dd882f74cbf22d95d
-
SHA256
7a1426b042f0589ec69143e715ea8271181c85a190015e41a53dfd94edc45602
-
SHA512
bc9ae046f5ecab598c14222fbcfef4721c820e81813a6872ae733141634c827177b99170cc0aeb6ae78c95916ae030a5232dbaf7c43efbea24734ced1a8d07af
-
SSDEEP
3072:aLDQq3/t3ldkPtPoH5q5XSMq60Z5AixLlmy9ISeRjftI8n2u90SF:4v1korMk5hlL8f0SF
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4576 taskmgr.exe Token: SeSystemProfilePrivilege 4576 taskmgr.exe Token: SeCreateGlobalPrivilege 4576 taskmgr.exe Token: 33 4576 taskmgr.exe Token: SeIncBasePriorityPrivilege 4576 taskmgr.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
pid Process 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe -
Suspicious use of SendNotifyMessage 42 IoCs
pid Process 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe 4576 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\OMORI.exe"C:\Users\Admin\AppData\Local\Temp\OMORI.exe"1⤵PID:3648
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:1800
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4576