Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
28/05/2022, 02:43
Static task
static1
Behavioral task
behavioral1
Sample
90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe
Resource
win7-20220414-en
General
-
Target
90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe
-
Size
225KB
-
MD5
c116cd083284cc599c024c3479ca9b70
-
SHA1
bf831962162a0446454e3e32d764cc0e5daafde0
-
SHA256
90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84
-
SHA512
d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560
Malware Config
Signatures
-
Detects PlugX Payload 6 IoCs
resource yara_rule behavioral2/memory/5004-141-0x0000000000580000-0x00000000005B0000-memory.dmp family_plugx behavioral2/memory/5032-144-0x00000000007A0000-0x00000000007D0000-memory.dmp family_plugx behavioral2/memory/1288-145-0x0000000001820000-0x0000000001850000-memory.dmp family_plugx behavioral2/memory/4328-147-0x0000000002B40000-0x0000000002B70000-memory.dmp family_plugx behavioral2/memory/1288-148-0x0000000001820000-0x0000000001850000-memory.dmp family_plugx behavioral2/memory/4328-149-0x0000000002B40000-0x0000000002B70000-memory.dmp family_plugx -
Executes dropped EXE 2 IoCs
pid Process 5004 Gadget.exe 5032 Gadget.exe -
Loads dropped DLL 2 IoCs
pid Process 5004 Gadget.exe 5032 Gadget.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 36003300410034003800430034003700410036003200430044003500410038000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1288 svchost.exe 1288 svchost.exe 1288 svchost.exe 1288 svchost.exe 1288 svchost.exe 1288 svchost.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 1288 svchost.exe 1288 svchost.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 1288 svchost.exe 1288 svchost.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 1288 svchost.exe 1288 svchost.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 1288 svchost.exe 1288 svchost.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe 4328 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1288 svchost.exe 4328 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 5004 Gadget.exe Token: SeTcbPrivilege 5004 Gadget.exe Token: SeDebugPrivilege 5032 Gadget.exe Token: SeTcbPrivilege 5032 Gadget.exe Token: SeDebugPrivilege 1288 svchost.exe Token: SeTcbPrivilege 1288 svchost.exe Token: SeDebugPrivilege 4328 msiexec.exe Token: SeTcbPrivilege 4328 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 936 wrote to memory of 5004 936 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe 79 PID 936 wrote to memory of 5004 936 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe 79 PID 936 wrote to memory of 5004 936 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe 79 PID 5032 wrote to memory of 1288 5032 Gadget.exe 81 PID 5032 wrote to memory of 1288 5032 Gadget.exe 81 PID 5032 wrote to memory of 1288 5032 Gadget.exe 81 PID 5032 wrote to memory of 1288 5032 Gadget.exe 81 PID 5032 wrote to memory of 1288 5032 Gadget.exe 81 PID 5032 wrote to memory of 1288 5032 Gadget.exe 81 PID 5032 wrote to memory of 1288 5032 Gadget.exe 81 PID 5032 wrote to memory of 1288 5032 Gadget.exe 81 PID 1288 wrote to memory of 4328 1288 svchost.exe 82 PID 1288 wrote to memory of 4328 1288 svchost.exe 82 PID 1288 wrote to memory of 4328 1288 svchost.exe 82 PID 1288 wrote to memory of 4328 1288 svchost.exe 82 PID 1288 wrote to memory of 4328 1288 svchost.exe 82 PID 1288 wrote to memory of 4328 1288 svchost.exe 82 PID 1288 wrote to memory of 4328 1288 svchost.exe 82 PID 1288 wrote to memory of 4328 1288 svchost.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe"C:\Users\Admin\AppData\Local\Temp\90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Users\Admin\AppData\Local\Temp\Gadget.exeC:\Users\Admin\AppData\Local\Temp\\Gadget.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\ProgramData\WS\Gadget.exeC:\ProgramData\WS\Gadget.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 12883⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD56b97b3cd2fcfb4b74985143230441463
SHA18985c2394ed9a58c36f907962b0724fe66c204a6
SHA2565c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715
-
Filesize
25KB
MD56b97b3cd2fcfb4b74985143230441463
SHA18985c2394ed9a58c36f907962b0724fe66c204a6
SHA2565c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715
-
Filesize
41KB
MD5901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA18bb71adf1c418061510c40240852c3cd61fb214c
SHA2563144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA5126500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab
-
Filesize
41KB
MD5901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA18bb71adf1c418061510c40240852c3cd61fb214c
SHA2563144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA5126500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab
-
Filesize
121KB
MD597c11e7d6b1926cd4be13804b36239ac
SHA1b388b86a782ae14fee2a31bc7626a816c3eabc5a
SHA256a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a
SHA5128ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121
-
Filesize
25KB
MD56b97b3cd2fcfb4b74985143230441463
SHA18985c2394ed9a58c36f907962b0724fe66c204a6
SHA2565c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715
-
Filesize
25KB
MD56b97b3cd2fcfb4b74985143230441463
SHA18985c2394ed9a58c36f907962b0724fe66c204a6
SHA2565c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715
-
Filesize
41KB
MD5901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA18bb71adf1c418061510c40240852c3cd61fb214c
SHA2563144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA5126500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab
-
Filesize
121KB
MD597c11e7d6b1926cd4be13804b36239ac
SHA1b388b86a782ae14fee2a31bc7626a816c3eabc5a
SHA256a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a
SHA5128ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121
-
Filesize
41KB
MD5901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA18bb71adf1c418061510c40240852c3cd61fb214c
SHA2563144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA5126500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab