Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
165s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 16:13
Static task
static1
Behavioral task
behavioral1
Sample
SamFwToolSetup.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
SamFwToolSetup.exe
Resource
win10v2004-20231215-en
General
-
Target
SamFwToolSetup.exe
-
Size
54.9MB
-
MD5
25db526a01d71287418f0014685f28ed
-
SHA1
e0d788bcc5540f48e8aa4357c2a0eabc6c3ebf68
-
SHA256
4c806ae6ba9909989128c6b2fac18ccb9dab2090dc3941cb24711f1db4be2fb0
-
SHA512
12f31fe7eeced9125555e691c8d84070ef818f28db571ae3abed73a53546aaf1f121f9c2ac23175e3c4e257640105bb0c7a2f85013d9a089ccf6050bd476990e
-
SSDEEP
1572864:d63HFhdZRARLmKz+pruxp2m7UeC2HPh4umu:o3HVZeRvzb2m7UVq7t
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4324 SamFwToolSetup.tmp 1200 7za.exe 5040 SamFwTool.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 161 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4324 SamFwToolSetup.tmp 4324 SamFwToolSetup.tmp 5040 SamFwTool.exe 5040 SamFwTool.exe 5040 SamFwTool.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 1200 7za.exe Token: 35 1200 7za.exe Token: SeSecurityPrivilege 1200 7za.exe Token: SeSecurityPrivilege 1200 7za.exe Token: SeDebugPrivilege 5040 SamFwTool.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4324 SamFwToolSetup.tmp 5040 SamFwTool.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 5040 SamFwTool.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1428 wrote to memory of 4324 1428 SamFwToolSetup.exe 91 PID 1428 wrote to memory of 4324 1428 SamFwToolSetup.exe 91 PID 1428 wrote to memory of 4324 1428 SamFwToolSetup.exe 91 PID 4324 wrote to memory of 1200 4324 SamFwToolSetup.tmp 105 PID 4324 wrote to memory of 1200 4324 SamFwToolSetup.tmp 105 PID 4324 wrote to memory of 1200 4324 SamFwToolSetup.tmp 105 PID 4324 wrote to memory of 5040 4324 SamFwToolSetup.tmp 110 PID 4324 wrote to memory of 5040 4324 SamFwToolSetup.tmp 110 PID 4324 wrote to memory of 5040 4324 SamFwToolSetup.tmp 110 PID 5040 wrote to memory of 1616 5040 SamFwTool.exe 111 PID 5040 wrote to memory of 1616 5040 SamFwTool.exe 111 PID 1616 wrote to memory of 1052 1616 cmd.exe 113 PID 1616 wrote to memory of 1052 1616 cmd.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\SamFwToolSetup.exe"C:\Users\Admin\AppData\Local\Temp\SamFwToolSetup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\is-CVPOP.tmp\SamFwToolSetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-CVPOP.tmp\SamFwToolSetup.tmp" /SL5="$600E8,56697704,832512,C:\Users\Admin\AppData\Local\Temp\SamFwToolSetup.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\SamFwTool\data\7za.exe"C:\SamFwTool\data\7za.exe" x "C:\SamFwTool\data.7z" -o"C:\SamFwTool\" * -r -aoa3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
C:\SamFwTool\SamFwTool.exe"C:\SamFwTool\SamFwTool.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c driverquery /FO list4⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\system32\driverquery.exedriverquery /FO list5⤵PID:1052
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.5MB
MD5e49fa2ed42f42772cf5883af457d163e
SHA153a1a59385ed27ff41f88f7b698bf17c0e49398c
SHA256109d2ea3b9e7efa08c76b57bbaa6ef2e0d7788764ba56c641c69abd396e3cff7
SHA512f433fd629495aa44719f5393a49d25abb06da85663d7dc9c30ff4823e385655f1d5376cee42233add5e573ce8a56b2bbc0c806fee5ae71fe12c1de33bce08644
-
Filesize
3.1MB
MD5f7d1fd3a5d5bf023d18cdba47ecc363b
SHA1d25d0b90a55c5bb92cb5cb3fe1c362b6b022ed9d
SHA2568beb72bad444aa3b3cedb8a5302f018cd43b6462d22704bf6cb1b98e785521ac
SHA51221f2ba300887c0309e40dab2dc2f5a16bb8c1560fb851eea3d2fcc151ba9fed620a5b363c7f0c7506b843b89651ead2cab09dad87bb69461e45c2c2254919891
-
Filesize
3.6MB
MD5208d95fa28e488bbe39f07ccf97dc284
SHA1d0be59aac5d44bc6b976a7c1a30ead221f2d591f
SHA256a11e3e8a3ff2aef185fd646635b5b4bf36cc06566df161d7ae694347a1a607d7
SHA512a5c49d66c41304f7538456b01430824ba3f8d6288529a28d60aa32fc5438b143d8a933c3da1d1e442ef5cc452866d088cd55bd9042f6cfac1d126de8d1a9c0dd
-
Filesize
2.7MB
MD555e4a3bf183fcf549361e94041d05fa2
SHA114781f00bfab823d5597fb294121ac0a6222c2fa
SHA25621b0ad34851c3f7d942153a9bbe3527b1a4b1be4501da59ea3ac910d1d5bd12f
SHA5120c5e60bbb1eae58ebda1e6e2cfc44c0065cb036cf1fddd19a3a05e8db9fc128e46ffef558cbbf43646315988d5ad773558034231e18ddcbdc2c5b2df6483e14a
-
Filesize
676KB
MD52e3309647ce678ca313fe3825a57ccb9
SHA1792fdeccddd3cc182eac3a1ecd7affe5b48262c8
SHA256e6855553350fa6fb23e05839c7f3ef140dad29d9a0e3495de4d1b17a9fbf5ca4
SHA5125eb2af380fed7117d45232d42dec4d05a6f4f6cd6c7d03583c181b235344ea922290b6e0bf6b9683592bccc0f4a3b2b9b9fd7d41fbfebf1045bd95b027539dbc
-
Filesize
166KB
MD53935ec3158d0e488da1929b77edd1633
SHA1bd6d94704b29b6cef3927796bfe22a2d09ee4fe7
SHA25687cbd1f3bf5ab72089a879df110263784602a574c0ae83f428df57ae2f8115db
SHA5125173891b1dfad2298910236a786c7b9bbcfce641491a25f933022088c81465fb93fd2385d270e9a0632f674355538da464d1edacf511140d6f31d91d1afe64fc
-
Filesize
2.7MB
MD5358ab389a14a54f50b1dc8b902e320fa
SHA1800b99305f664b93cc967ed03b75bb8927f3ee2d
SHA256500f472a69b85f36046ea44d44616978e4ae405895c51d1f90339158ffa3c012
SHA5122177134c587b44c9a0083e06bcd9398edc530a810ee1e42cdb093ffe92c5f9c9b7c7aceb1ef0565e95d89961b92c6193013af555373a81481debc74683676614
-
Filesize
3.1MB
MD5a8b23ad9a79ad0c6b7f35fe4b8b13d18
SHA18e48738f2e3c97b0f2b55b5fbe2cd7169e5a739c
SHA25696b11c755407f46282254deebff3a09daf8a60c5a1808a6ebb7d1d7c5f36810e
SHA5125b525730d5a959bd7dab061b78fa9537fdff492e90ec78e081fd62318c537cf0964fbfa6a0d5916308201147c3b6590846496ff5e0414a3d3d96ecc576374a14