Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
31/07/2023, 12:37
230731-ptx8safd79 1031/07/2023, 12:37
230731-ptndksfd76 731/07/2023, 11:43
230731-nvq1eseh69 10Analysis
-
max time kernel
7s -
max time network
14s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
31/07/2023, 12:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
yOMHr.exe
Resource
win10v2004-20230703-en
6 signatures
1800 seconds
General
-
Target
yOMHr.exe
-
Size
170KB
-
MD5
31bd0f224e7e74eee2847f43aae23974
-
SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58
-
SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
-
SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249
-
SSDEEP
3072:2qeriftL/WSo1vDb53j/8WGUzaqVh4LI8zQpn:2trA/WSo1rl3ALrlHQpn
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation yOMHr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yOMHr.exe" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4172 yOMHr.exe 4172 yOMHr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4172 yOMHr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4172 wrote to memory of 2612 4172 yOMHr.exe 85 PID 4172 wrote to memory of 2612 4172 yOMHr.exe 85 PID 4172 wrote to memory of 2704 4172 yOMHr.exe 44 PID 2612 wrote to memory of 1504 2612 cmd.exe 87 PID 2612 wrote to memory of 1504 2612 cmd.exe 87 PID 4172 wrote to memory of 2764 4172 yOMHr.exe 43 PID 4172 wrote to memory of 2864 4172 yOMHr.exe 42 PID 4172 wrote to memory of 3260 4172 yOMHr.exe 38
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3260
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2764
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\yOMHr.exe"C:\Users\Admin\AppData\Local\Temp\yOMHr.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\yOMHr.exe" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\yOMHr.exe" /f3⤵
- Adds Run key to start application
PID:1504
-
-