Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
19/05/2023, 05:44
Static task
static1
Behavioral task
behavioral1
Sample
4th Hire Soa Remittance.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
4th Hire Soa Remittance.exe
Resource
win10v2004-20230220-en
General
-
Target
4th Hire Soa Remittance.exe
-
Size
617KB
-
MD5
854e22aa8f838bc5638f401e1d6faaf0
-
SHA1
95792a0d5c497777fe283f5b9eb74f14e2e407ce
-
SHA256
2bfe16100af653d012b5b833cf2ed6431ae1ca9660fab081679f92da34fb5f57
-
SHA512
8b2238ab1c74794fcbf23241475c35fbecd5482aa48d49f0e1cbd706656d0997b3aa4b4eb3ebf47eca56663cf57527d7d59c85740adf748917366315376bdcfa
-
SSDEEP
12288:eopnFv5yczago+/3FIqbipq/HQzIbPKgObpb5LYU/gD+jU/ecZBAYq4:ZVV1o+/e4jHQzQlObpFLYV+jJWBf
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\International\Geo\Nation 4th Hire Soa Remittance.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1348 set thread context of 320 1348 4th Hire Soa Remittance.exe 27 -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe 320 4th Hire Soa Remittance.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 320 4th Hire Soa Remittance.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1348 wrote to memory of 320 1348 4th Hire Soa Remittance.exe 27 PID 1348 wrote to memory of 320 1348 4th Hire Soa Remittance.exe 27 PID 1348 wrote to memory of 320 1348 4th Hire Soa Remittance.exe 27 PID 1348 wrote to memory of 320 1348 4th Hire Soa Remittance.exe 27 PID 1348 wrote to memory of 320 1348 4th Hire Soa Remittance.exe 27 PID 1348 wrote to memory of 320 1348 4th Hire Soa Remittance.exe 27 PID 1348 wrote to memory of 320 1348 4th Hire Soa Remittance.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\4th Hire Soa Remittance.exe"C:\Users\Admin\AppData\Local\Temp\4th Hire Soa Remittance.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\4th Hire Soa Remittance.exe"C:\Users\Admin\AppData\Local\Temp\4th Hire Soa Remittance.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320
-