Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

SpySheriff.exe

windows7-x64

8

Resubmissions

25/04/2024, 04:47

240425-fezzdsfg4z 8

25/04/2024, 04:44

240425-fdbv6sfe82 7

25/04/2024, 04:30

240425-e42zlsfc57 8

25/04/2024, 04:26

240425-e2hg7afb98 8

25/04/2024, 04:23

240425-ez875afd3v 7

Analysis

  • max time kernel
    134s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/04/2024, 04:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SpySheriff.exe

  • Size

    403KB

  • MD5

    c899f93e8b753fedd068ef3fe2edb0fd

  • SHA1

    144b1f18d0e307d14937c21ca1d7cbfc91828a10

  • SHA256

    5c2a85fb56de2e0a1a1d260ef2177e0209477586c8a6740494bbaf40a9785f47

  • SHA512

    1aceacb4eba0815322dd3fcd273d8703408362eee3b2d2b5981d2abbe4c2b02852608f46b2e7ce46a50e921871d445c239014b5957c6ba0606bd0334ce7bd41b

  • SSDEEP

    12288:eBMDMf+ztV53y2k9I68iXDycz+rYIYsVRSHsDr:eS4S53h68eIZjD

Score
8/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies RDP port number used by Windows 1 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 5 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 21 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe
    "C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Maps connected drives based on registry
    • Checks system information in the registry
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2240
  • C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe
    "C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe"
    1⤵
    • Modifies registry class
    PID:2140
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x540
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpySheriff\SpySheriff.lnk
    Filesize

    1KB

    MD5

    7c7095795410a40ca4282ec40f886744

    SHA1

    80ebd57583e55e43591305ceffad2ddee6e110ef

    SHA256

    1d126c2da92cf0731ccba86dbf9a6abb5ef808b1a5c0628f493463c5e781eb35

    SHA512

    09c2c464910023ec1f94829487e34a7183195b42cf7f388f4cb2e1fb0c68bb53ce0df17084313cf12584e53540597e28c1bd4209ec6ad311c705d3031c664f4e

    Download Submit

  • memory/2140-39-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2140-35-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2140-36-0x0000000000340000-0x000000000036C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2140-34-0x0000000000390000-0x0000000000391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2140-33-0x0000000000400000-0x0000000001400000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2140-31-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2140-32-0x00000000003A0000-0x00000000003A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2140-29-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2140-30-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2140-28-0x0000000000340000-0x000000000036C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2240-3-0x0000000019720000-0x0000000019721000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-26-0x0000000000400000-0x0000000001400000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2240-14-0x000000001B120000-0x000000001B121000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-13-0x000000001B080000-0x000000001B081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-15-0x000000001B010000-0x000000001B011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-16-0x000000001B0B0000-0x000000001B0B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-17-0x000000001B050000-0x000000001B051000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-19-0x000000001C6D0000-0x000000001C6E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2240-18-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-11-0x000000001B0F0000-0x000000001B0F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-25-0x000000001AFE0000-0x000000001AFE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-12-0x000000001B060000-0x000000001B061000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-27-0x00000000003C0000-0x00000000003EC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2240-10-0x000000001B160000-0x000000001B161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-0-0x00000000003C0000-0x00000000003EC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2240-4-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-7-0x0000000019770000-0x0000000019771000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-9-0x000000001B0D0000-0x000000001B0D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-8-0x000000001AFD0000-0x000000001AFD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-6-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-5-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-1-0x0000000019790000-0x0000000019791000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-49-0x0000000000400000-0x0000000001400000-memory.dmp

    Filesize

    16.0MB

    Download