Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
25/04/2024, 04:47
240425-fezzdsfg4z 825/04/2024, 04:44
240425-fdbv6sfe82 725/04/2024, 04:30
240425-e42zlsfc57 825/04/2024, 04:26
240425-e2hg7afb98 825/04/2024, 04:23
240425-ez875afd3v 7Analysis
-
max time kernel
187s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
25/04/2024, 04:30
General
-
Target
SpySheriff.exe
-
Size
403KB
-
MD5
c899f93e8b753fedd068ef3fe2edb0fd
-
SHA1
144b1f18d0e307d14937c21ca1d7cbfc91828a10
-
SHA256
5c2a85fb56de2e0a1a1d260ef2177e0209477586c8a6740494bbaf40a9785f47
-
SHA512
1aceacb4eba0815322dd3fcd273d8703408362eee3b2d2b5981d2abbe4c2b02852608f46b2e7ce46a50e921871d445c239014b5957c6ba0606bd0334ce7bd41b
-
SSDEEP
12288:eBMDMf+ztV53y2k9I68iXDycz+rYIYsVRSHsDr:eS4S53h68eIZjD
Malware Config
Signatures
-
Modifies RDP port number used by Windows 1 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 5 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 21 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe"C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Checks system information in the registry
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.spy-sheriff.com/license.php?s=2094271626&a=0&sa=0&ln=0&vrt=32⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1592 CREDAT:275457 /prefetch:23⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.spy-sheriff.com/license.php?s=2094271626&a=0&sa=0&ln=0&vrt=32⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2144 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.spy-sheriff.com/license.php?s=2094271626&a=0&sa=0&ln=0&vrt=32⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1148 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5109ff74b0fd744dfef6650750b0a58e8
SHA12abe8497208744af818b0599190c83e17ef6b15e
SHA2569987c1e67a62f45ca1a2c38a6691c770eef2bb815f1ca3a1d1c770ead4acd49d
SHA5121b5a9a72210f6e4e1add2b8fa4ad4b8eaf8ca8a5bccdaf824f7d549d940afb03d94baae8246d1f00b303fe5f9aad6904f67df35b3c968ffd4d680bc2c8e8850b
-
Filesize
472B
MD5430a2f7afd1db005d371c4ff054443b8
SHA18d92df082062110ba4100eb42285054f467074a3
SHA256ba736c3410b600ccb29d09f95b2bf6347d508d3fd7add53fdc97df41f83a0263
SHA512e2033c63ff49eecb4c9d38124b2107ec4743404ec887e1f3c2e5f5a949b48d267005b2213bd6612dba3bbca90cb7386702d47b8cc53e533cbf2cb6f5f17baac3
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
724B
MD5ac89a852c2aaa3d389b2d2dd312ad367
SHA18f421dd6493c61dbda6b839e2debb7b50a20c930
SHA2560b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36
-
Filesize
410B
MD5daac2a886a8154523fee4605d5a1d0b9
SHA1ff4b0e7dca4f52c9c9252f88fea8f51965143e0a
SHA256c0e4794210e89a14bc2e72c3e826ba15bcd0029c9963cc386a1c232730a8bd5e
SHA51270d8d5840950d0f9724c3a38696fc8784c375f38a7cbb1aa93f0260f6bcd8c5b5cb730140326f25b1eee00ce39c2e82c731d8cfd6c42f0eec36885ae5669ea9d
-
Filesize
402B
MD511afd5e2d3187100e69eb92615d89fbe
SHA15d467b80e4fdb73ff2e89b664165b2b698059d44
SHA256656f16fc1e9bcd08477ff23d7d27bf10f6339c33ae335398126c748ed46ce0c4
SHA51249df3cac5bca90a065a0c932758e02b53caf6843fe8176aba661cc2dc96732caade499a40c320030a09f4d2f4e9ddedcafa857c2169e4fd7db6a59df2955d7b5
-
Filesize
344B
MD517bc4562158119b7a885a6118986242b
SHA1c62456de4c1ff882ef5fabf0bae0e1d22cfd0af9
SHA2564a40050a10a838d8c370bf0a2393acbacd931a8bac746d9542220bab8816724d
SHA512064f49f177cf5bf57fee7fa13eef75ad3efa4f87edaa767fce57629753a74895cc9d5ba2b77ded5aea1cb02de0a048aba0c9f7af4e27e5f660b10aebabac9298
-
Filesize
344B
MD5da4c73176dd95a77251858c0306044c3
SHA1137a2da63ab170d35654edcbf404a26402cd2a3b
SHA25617f71c38009ef9cb9b387fda3fd6c417e3a60fd71ba4b6ecf8352a6bf9539105
SHA512529527328fad1c87776045a988b8c7a8cc0f9cbc32457688b96e91d6cc8f301272d94cadd3edd3417ea322b9bc45dff28035df34d21eb536aff3eec828341d9d
-
Filesize
344B
MD5954be63dfbf515339125b0ab57cb86ce
SHA126b957b0a2ad0f66df2152d22c82c274a25ea943
SHA256fa230e4361156853e5885d2dab46c3e722829c1dd12d3c4b0b73520520be819f
SHA51208837ed9044d85cfd6faf8c78ab88f9f5c73f6d77c04219577ffa114949c5829ac334252174eb4624e41cf72d4b069bea6df06db1ba11b23e1d234e656b927a3
-
Filesize
344B
MD56bb04c5125ba98d1f05374dc0e2862b9
SHA1dac8b035e155f86d170db1c6f03990c6fbb68b02
SHA25693a99aeda55f00231bea65a1eda66f3b70d06e6ff8a194a63a3ffbfaf7fd195c
SHA512bda11e161208fc0ff415606f3e3cc8912cddf6b0fe0bcc3176d68283c487a66eceb05593246e5d30fbe6184c50ea1d479a5842b3d506596e17732a8e4dd761d2
-
Filesize
344B
MD581cdf2e39359009487ebdc1a796bd175
SHA1c989c72aa5a3a5ca8f4780c5d0c5a10a3f99879d
SHA256c14ff935b2811f7dfbc911911f2bfce622aa044590777fa989f3f5e5aafdfe6f
SHA512deb08724ab927e006649bb9d22f773cb94f47515fe144c93eafb7715c30d40e95eec6cbbac662ab543ea476e0f931966b0cd30c1ff1ae5b7f3e2e49102653d0d
-
Filesize
344B
MD5073796aa62a7e854d2d0d6652e253c56
SHA190816586633b6af6ec4decdf6f7045a45ec305fb
SHA25649cab87676bd2d0af9f72f83fc1c3e1c34926c8557ca2eaa0d621a0d751bc103
SHA512155db24ec7e5ac34b7bb9ec8a67e7796d0e48f9bc1531e8cc9476fd04b770f368e06182d0e4ab65b64e95e0d7324063e3c839a56e2a6d5e983a1ba4ebbfa23de
-
Filesize
344B
MD5c798ffd7f974b92400a575f365c16af6
SHA1e39cfdb8797987d77dc2dca9d734263d952c9957
SHA2562e161670e766a332433788264d51ea3db8ec6f886e9c2139ee010766010c2163
SHA512b00ff8453be2f1cf3bd2e33783c1e8f04f5573735bc675313f1bc730721c0910fd135a56d9a506be49a050fc6c91f84fba4cec4df77cac6ab169e9c1cd67e272
-
Filesize
344B
MD5b95cd7db22bfbed9b40290458e99b966
SHA19bc61de09edaf5b594288926a37c9ee15fa327a8
SHA256e587994717a719eb3d5c6b150dc577a99e851750dc3cb834e81426c68dbf4923
SHA512da461b36d250682f1828fabaf356a4c242586f7f6438bc5d427534443f0598f872182ac9cac0da9e9228d6110779a0494bd22e4ddc6a2264b1667fa90d04f8de
-
Filesize
344B
MD51ff8ab617aceddc0ea583d442fcf1506
SHA18c1a21076c65e37f7033b0480073a580c016035f
SHA25677b160ba1b2744fa519b740657fcf9a282deb3e55a2bc9dfa5d84b121abaec77
SHA51249f01e0cd27eeb0c48270bf648151a0a1a6bab455430b597cfb99fa8622ecc604341abd99c4fecbc41f52944e02529514a470bd6ab2396742340df369f321cf9
-
Filesize
344B
MD5f125e80267282a790030b438044b5fb8
SHA15821bd45962707df91744488463d02065825e358
SHA256921fd7cc78aa728db058a30a191d490dc8aa8ee5cae9551d687bdc3526a80328
SHA512db4ee10ac21d2061150fb30ceb2fca0ebd064859d11a08f19af59231f4c2986b48da0251d7709a5440003312f1cd63c24c54b2b515cb40c7af6d2cc687a005a3
-
Filesize
344B
MD54a679cf334aa8fb933cac656c23888b9
SHA1b3c5c27f6bfad035b1da069814c9965276e1154d
SHA256c41a6c1a001c23608d8540c23e08e7ac4fba877f952f185b8d38fae5a9faa652
SHA5121e6f0ddb71a6bd4c1a272791f9a41fd412e3f8b9a5b752cce35f771cd6cc94806c6e5fc977a5dff322d2c196fa3330755cd805c2f2d2101718dad46b72075bbf
-
Filesize
344B
MD53eb5f7620790900a6b3bc92ab9b94e4a
SHA11b3c80612bbd9dab5ba423160d1972cba9fa4dc7
SHA2565f87a2f35d05355416fd201794de97f74f6ba5ff32e2ded68e615f067210ec38
SHA51201e8c926ed6fe26a550d547e250dcb93bdf9b0f28205cebf7a7e5075603718abfcf09530630ab30ed836cf3c61a90e25e9de1c3b73cd7f1a40e6724541709b81
-
Filesize
392B
MD5bf833ef71ad58c4987faf4d317ce0f0e
SHA1ce67e168d18e4f88a58bdf25fd636cabe187c1df
SHA256efc64a8a3d8f3c61c6904217de060d8841b8d72fcaf2fe970d720952c886777c
SHA512ed19b514ec2b6cf553d235bcac48890fc8f0d1730b1586d8fc0cf20fb6933017a6b2b21d4116b9648ab667707fe3b4793d54ad57b1bd6b4e4cf1832432ae4bee
-
Filesize
5KB
MD51e31227235976fdbe20d64f10a979ebd
SHA1c7d555b8c543008760750a466d9ece68adcc2302
SHA2566224346fd8b1cf11b3f6cbb438e6514d7780b7c7371362c5023dc67f373210c4
SHA512114cda5733421963d456a7a4a754f0659ef6c00a54f70ceb7b244490189c67ee878dbc1ea177b6c4b3f9dc1e9915185ca9e4e593b161b7db5d279ac7310ef230
-
Filesize
5KB
MD55cfb007050ef7f80db8e2b7e4739566c
SHA1663d9e50ff39cfddc51d5aab77d2f45efe7d82d3
SHA2563f1c776c9069b55238e726c4db0c0433bbd900e193c30ec4e2b67ad0794473cd
SHA5128d6f79cb3287ea69b3139a3fb101153216d8e1626fef9199e62de6db5f9ecc39a1c80546f0e9a5939ae2f7d88dad52afe546d660659fb20553c79ec9c144bede
-
Filesize
5KB
MD5d7eb94c371446460b34d57c82a047c8f
SHA1a147838e0c7ff6e8aa4bb70a78897e23763cffc4
SHA256bcbc1416f5f3c5b95bca69b79698ce0b8716f15705cd0bb49f7a8d8e375a5e35
SHA5129551705bd156b204bb9be70dd07aaf9e371112835f84331c7c784f47e59524ab5b6c31fa18236fc196d950ab2ce93c9d729fab6b4d800ae536a52b1d70f952dc
-
Filesize
4KB
MD5dd26482fe269a29abf8a556cd27ba448
SHA1f63685c756e2c1cb547c102e6370c2522d4c9fba
SHA25638a073a035d6d315dc32a226357640e440e463f2480b4ccc38e7479681c1a9ae
SHA512ce1393b7995195e5505a39dd03707b8ed17a735cea71f85dd21d10d1486e9a21553a110c74bf58bdc753bdac77a05ceba95cd47873daa3237add2fca77c10636
-
Filesize
4KB
MD5d7042ec5e18f4231ea696581d28373a2
SHA107b0be4975978a2d71e5c2b85ff4c2b3225c137b
SHA256f6247209b9ade2e8801dddb5e4d7c6a2e00ddb1c883af114ba4524999fda08ea
SHA512fdda78f0dd05f74f8567b04a33649bcc190afb45fef692f0e583c4c825490a183bb22feb8bb4b754b5a5e58a829cf538bb9f5ab3575356f9df09506a6a081160
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
16KB
MD5ad6a400207a6d459053136b6c45f730a
SHA16f129842beb653a881b9baca742351d97a447043
SHA256e17ddb3cc1b446a86a30bb8b527d39c7129ee0c59caebea0c0a3ec10de924bc7
SHA51275687d54a88b6d694aad9a8749d6ec27ee013c1efb2adcb50350e746a33688601c3623417e1e2efb6e206f92ad7842810a36a38ff0d3eed46d58654a6b63747a
-
Filesize
1KB
MD5cbb559c56a98d87be860648f9649f9ad
SHA19588901389edc9c381b99c699a2b3f4e12c2c4dc
SHA2566c491ba01d947361c2f1ecce1ec7dc0c820e63e84535e055b97d8244f8c01e8b
SHA512169816060649345a33b79874b5249a904900c3db427f61e163914aaddad87320cddf696c87c8167b57b1449323d70f7ef731b4d27a88150b772b2adc9f7d67f3
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16.0MB
-
Filesize
4KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16.0MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB