Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 09:32
Static task
static1
Behavioral task
behavioral1
Sample
MT103 swift copy.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
MT103 swift copy.exe
Resource
win10v2004-20240802-en
General
-
Target
MT103 swift copy.exe
-
Size
831KB
-
MD5
5bd6fc793026df7e9afeea69d8ad2d06
-
SHA1
15d698923e1e9cc1269fcd2677b8d4cc976b29ba
-
SHA256
3a8cd4cbcabcc59b3b845e3db862425d9a2dbec034ff2ccd87e9ad219357488f
-
SHA512
386a583f2eb598a908a10c2b3753fa14200b1ee4f6ab3ce6926d4519136c712d8504272dac423457d9ac56ce60e0e506445fd1f83bce9de72601197c9d6db1a2
-
SSDEEP
24576:q5pL35i55QOcJmVRFBQE0+iWeuUMhlrPBy0:qLti55N1VrBQERiWeLMHJ
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2300 set thread context of 2324 2300 MT103 swift copy.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MT103 swift copy.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2300 MT103 swift copy.exe 2300 MT103 swift copy.exe 2324 MT103 swift copy.exe 2324 MT103 swift copy.exe 2324 MT103 swift copy.exe 2324 MT103 swift copy.exe 2324 MT103 swift copy.exe 2324 MT103 swift copy.exe 2324 MT103 swift copy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2300 MT103 swift copy.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2300 wrote to memory of 1540 2300 MT103 swift copy.exe 30 PID 2300 wrote to memory of 1540 2300 MT103 swift copy.exe 30 PID 2300 wrote to memory of 1540 2300 MT103 swift copy.exe 30 PID 2300 wrote to memory of 1540 2300 MT103 swift copy.exe 30 PID 2300 wrote to memory of 2324 2300 MT103 swift copy.exe 31 PID 2300 wrote to memory of 2324 2300 MT103 swift copy.exe 31 PID 2300 wrote to memory of 2324 2300 MT103 swift copy.exe 31 PID 2300 wrote to memory of 2324 2300 MT103 swift copy.exe 31 PID 2300 wrote to memory of 2324 2300 MT103 swift copy.exe 31 PID 2300 wrote to memory of 2324 2300 MT103 swift copy.exe 31 PID 2300 wrote to memory of 2324 2300 MT103 swift copy.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\MT103 swift copy.exe"C:\Users\Admin\AppData\Local\Temp\MT103 swift copy.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\MT103 swift copy.exe"C:\Users\Admin\AppData\Local\Temp\MT103 swift copy.exe"2⤵PID:1540
-
-
C:\Users\Admin\AppData\Local\Temp\MT103 swift copy.exe"C:\Users\Admin\AppData\Local\Temp\MT103 swift copy.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2324
-