Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
03/10/2023, 09:33
General
-
Target
Thetempest.exe
-
Size
836KB
-
MD5
1564e0d55798a05392c21c4e32af6c8b
-
SHA1
538205c2ac6d66f796a25571548c31086c2e231a
-
SHA256
030ca745bb45c5cba7e0dc933c2f36aa7c27a3716929027e1b9aa64c6ed60f81
-
SHA512
32dc533f141d22452f97fb3ce58667058b8cf3b1e23659624b2449694a010e41e6909874a808d89306f7fc85c6d2bc2bc2c64a54b9117fe6cd4614c46cfbdd9b
-
SSDEEP
24576:INPx3Tpgh9NZEak0F5SAz6uc1L9J8xVCT5ATqY2BXY6+g7:mBTMTq2MAz6VL9J8xVCT5AT2Y6N
Malware Config
Signatures
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Thetempest.exe"C:\Users\Admin\AppData\Local\Temp\Thetempest.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Thetempest.exe"C:\Users\Admin\AppData\Local\Temp\Thetempest.exe"3⤵
- Checks QEMU agent file
- Checks computer location settings
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
Filesize
216KB
-
Filesize
624KB
-
Filesize
216KB
-
Filesize
624KB
-
Filesize
3.3MB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
14.6MB
-
Filesize
756KB
-
Filesize
14.6MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
116KB
-
Filesize
1.1MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
3.3MB
-
Filesize
69.1MB
-
Filesize
18.3MB
-
Filesize
69.1MB
-
Filesize
4KB
-
Filesize
18.3MB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
18.3MB
-
Filesize
28KB
-
Filesize
1.1MB