Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
272s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12/09/2022, 15:26
Static task
static1
Behavioral task
behavioral1
Sample
56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe
Resource
win10v2004-20220812-en
General
-
Target
56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe
-
Size
2.4MB
-
MD5
a0b623e5db90e7b7f91a350fcbfd661b
-
SHA1
12e71a986e8f65a19c7e7a99da8c049c70f533b5
-
SHA256
56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c
-
SHA512
c75234cea7a872c7314a895d17ce6ff1a20f28f76631f21ca6f4e9fc8baf39287fe1d6bc0bf0b4005ca25c4816cebb4e91146d074e24308b702e45e78c2c00ca
-
SSDEEP
49152:7Rozi307t/SoJvnGjQUlJrQu6Kci17kejlkH1og/61H99GoBKxCdMr0B0IaV2aLh:7RoziE7JnGkUTrQfipjlkuH1HbGVxCdI
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4288 56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe 4288 56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe 4288 56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe 4288 56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe 4288 56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe 4288 56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe 4288 56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe 4288 56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe 4288 56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe 4288 56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe 2900 powershell.exe 2900 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4288 56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe Token: SeDebugPrivilege 2900 powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe"C:\Users\Admin\AppData\Local\Temp\56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900