Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
89s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11/06/2023, 10:54
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
1006KB
-
MD5
f2b39cd2a53dc9ee05fb9ae60f2f39d4
-
SHA1
47aa15669e2b4bf1b494d10d5b0d80b5303c5fd3
-
SHA256
1238f48f4e4b01c29ce390b9156ab6e9c4d3a57a7142510a4750539e92bc7886
-
SHA512
c6d35da2307d83a248b1303f33912e498d4173e223bd4f5d232348d30a375f249d64e74fd945eb712e11f7102e2183184ffc9fcf201d68b353c9f68cbaa35d92
-
SSDEEP
12288:krRqO6vKuaqrG6O8tjCowhf+Nn95kCMarnDpkDO/VYdU2nVESkTLwrJ:rdraqrG6qVitTDGDvOBSdN
Malware Config
Extracted
nanocore
1.2.2.0
muna001.duckdns.org:3637
melionx.duckdns.org:3637
589f5987-ea24-4bf9-bdfc-6819b0945699
-
activate_away_mode
true
-
backup_connection_host
melionx.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-11-25T16:37:57.631844936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3637
-
default_group
13FEB
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
589f5987-ea24-4bf9-bdfc-6819b0945699
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
muna001.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1160 set thread context of 604 1160 tmp.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 680 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1904 powershell.exe 604 RegSvcs.exe 604 RegSvcs.exe 604 RegSvcs.exe 604 RegSvcs.exe 604 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 604 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 604 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1160 wrote to memory of 1904 1160 tmp.exe 28 PID 1160 wrote to memory of 1904 1160 tmp.exe 28 PID 1160 wrote to memory of 1904 1160 tmp.exe 28 PID 1160 wrote to memory of 1904 1160 tmp.exe 28 PID 1160 wrote to memory of 680 1160 tmp.exe 30 PID 1160 wrote to memory of 680 1160 tmp.exe 30 PID 1160 wrote to memory of 680 1160 tmp.exe 30 PID 1160 wrote to memory of 680 1160 tmp.exe 30 PID 1160 wrote to memory of 604 1160 tmp.exe 32 PID 1160 wrote to memory of 604 1160 tmp.exe 32 PID 1160 wrote to memory of 604 1160 tmp.exe 32 PID 1160 wrote to memory of 604 1160 tmp.exe 32 PID 1160 wrote to memory of 604 1160 tmp.exe 32 PID 1160 wrote to memory of 604 1160 tmp.exe 32 PID 1160 wrote to memory of 604 1160 tmp.exe 32 PID 1160 wrote to memory of 604 1160 tmp.exe 32 PID 1160 wrote to memory of 604 1160 tmp.exe 32 PID 1160 wrote to memory of 604 1160 tmp.exe 32 PID 1160 wrote to memory of 604 1160 tmp.exe 32 PID 1160 wrote to memory of 604 1160 tmp.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LHADBnfp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LHADBnfp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC72.tmp"2⤵
- Creates scheduled task(s)
PID:680
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:604
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59a6645afc6dc8669857b562494568cc8
SHA1b8cbfb3243402a6bab8812d6185c7039c792d9b2
SHA256e32e93470062d303938699b26fbc6d2da8a3e4a31c6436a4c81ea48a66fa06c3
SHA512d65f09b84d83e2437e2ccd2696936c55effe8458e0b345b82be2980353588674361e34b7b76f2fcfd18c86a052f51201d155dce2f61cd8c7392925053fcc359f