Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
76s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2023, 18:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230712-en
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230703-en
6 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
306KB
-
MD5
f9f7e4b734d555814439256a4550a9dd
-
SHA1
110f36964c9ad34d35e7afeb48215764500d37cd
-
SHA256
97261fee3b80f8396ae8c4c2522d7613b69b41644e5c8e03948aedf6778c3e42
-
SHA512
5d80924fe621eeb456e213812efabd545b156adcd13d83068ce76572bb199d9f10f606efd8d9c2fb0fff4b3318cde384b390b8e94cd8dc82955718cf62ea691e
-
SSDEEP
6144:ZaA+l9nqPU0wLpfAWGWrF4pXkgJFF1kCsOPF/TbL8LahOlosA:ZJ+l9sUxpUiF4lksFmCr/TbLAaAlo
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\ViperFolder\\FiperA.exe\"," tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1452 set thread context of 2200 1452 tmp.exe 87 -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2200 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1452 tmp.exe 1452 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1452 tmp.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1452 wrote to memory of 2200 1452 tmp.exe 87 PID 1452 wrote to memory of 2200 1452 tmp.exe 87 PID 1452 wrote to memory of 2200 1452 tmp.exe 87 PID 1452 wrote to memory of 2200 1452 tmp.exe 87 PID 1452 wrote to memory of 2200 1452 tmp.exe 87 PID 1452 wrote to memory of 2200 1452 tmp.exe 87 PID 1452 wrote to memory of 2200 1452 tmp.exe 87 PID 1452 wrote to memory of 2200 1452 tmp.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
- Suspicious behavior: AddClipboardFormatListener
PID:2200
-