Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
19s -
max time network
17s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 03:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
rm2.vmp.exe
Resource
win7-20240903-en
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
rm2.vmp.exe
Resource
win10v2004-20240802-en
6 signatures
150 seconds
General
-
Target
rm2.vmp.exe
-
Size
11.4MB
-
MD5
9a722b5590def62024a8b857709b784b
-
SHA1
a31b8e1fd4da40b98c16d3012df463e8488347e2
-
SHA256
85fdd8dac21e71ad98916d2941637c882e1f39cd5255c72a9fe9436aec7f650c
-
SHA512
0607723c183271fcbd8dc636c080bc5c5ade147afe4a91c129516db07278b07475595a5ee1ad1ecb4ecfa04127418fec93e44b86ab35217a02acd9580205903c
-
SSDEEP
196608:aU9rGneSo1G/SkVqdqgJ/JIGHsjpsXuoN2miWqoYxq/NQFO5Is7RkH4:F5tSoJh/JIGusXuoN2miWYq/2wzR
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 3936 rm2.vmp.exe 3936 rm2.vmp.exe 3936 rm2.vmp.exe 3936 rm2.vmp.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 264 taskmgr.exe Token: SeSystemProfilePrivilege 264 taskmgr.exe Token: SeCreateGlobalPrivilege 264 taskmgr.exe Token: 33 264 taskmgr.exe Token: SeIncBasePriorityPrivilege 264 taskmgr.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
pid Process 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe -
Suspicious use of SendNotifyMessage 37 IoCs
pid Process 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe 264 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3936 wrote to memory of 2720 3936 rm2.vmp.exe 83 PID 3936 wrote to memory of 2720 3936 rm2.vmp.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\rm2.vmp.exe"C:\Users\Admin\AppData\Local\Temp\rm2.vmp.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2720
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:264