Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 10:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Point.exe
Resource
win7-20240221-en
windows7-x64
1 signatures
150 seconds
General
-
Target
Point.exe
-
Size
1.3MB
-
MD5
3e56975127f436aa5e8a9b9c7af5eb23
-
SHA1
acbf171b31c25a66d7af44bf9e1f5666acaa3f2c
-
SHA256
7d18e238febf88bc7c868e3ee4189fd12a2aa4db21f66151bb4c15c0600eca6e
-
SHA512
f1a2d4dcc0531ee08c3b5e407b7e250743c15d0e2f320a9d74e933a94791d1185a9dc6f5f28b9e3bc8bbc364b3c98fc72e936c45b88279c773ea4507e24b3e9f
-
SSDEEP
12288:2jwHlbKaWY6oL1T0uwJ34dW/QtQF5KXGOTBwfRzPZ15HVCjkNMOuEFcd+wtZqA8s:2yHC/QtQF5kGXZPY+1BFc2AZoyLtkwx
Malware Config
Extracted
Family
pikabot
C2
158.220.95.214
172.232.208.90
194.233.91.144
158.220.95.215
84.247.157.112
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 456 set thread context of 4060 456 Point.exe 85 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe 456 Point.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 456 Point.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
pid Process 456 Point.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 456 wrote to memory of 4060 456 Point.exe 85 PID 456 wrote to memory of 4060 456 Point.exe 85 PID 456 wrote to memory of 4060 456 Point.exe 85 PID 456 wrote to memory of 4060 456 Point.exe 85 PID 456 wrote to memory of 4060 456 Point.exe 85 PID 456 wrote to memory of 4060 456 Point.exe 85 PID 456 wrote to memory of 4060 456 Point.exe 85 PID 456 wrote to memory of 4060 456 Point.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\Point.exe"C:\Users\Admin\AppData\Local\Temp\Point.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\ctfmon.exe"C:\Windows\SysWOW64\ctfmon.exe -p 1234"2⤵PID:4060
-