Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
169s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 07:36
Behavioral task
behavioral1
Sample
27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe
-
Size
354KB
-
MD5
451418a374e6564f5c0d0cc3ea7e0f0c
-
SHA1
a4c186c77c2e1414324a184f467518cd3bc36fb5
-
SHA256
27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd
-
SHA512
64cb97365792e10723ea8cc558cea95480baa4f8eaf3d96b5419a97e69338bbcaa0159d800ce4cc2e8c786292b0224897e79bc975d62494520fafcf2a22527db
-
SSDEEP
6144:PEtjTq/mmvgEG83Qp/9Qp/2Qp/7Qp/yf:8dmvgP83u987
Score
8/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1360-132-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/1360-134-0x0000000000400000-0x0000000000459000-memory.dmp upx -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\r: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\s: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\u: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\x: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\z: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\e: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\f: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\i: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\k: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\y: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\h: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\j: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\l: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\m: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\o: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\p: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\t: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\g: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\q: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\v: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened (read-only) \??\w: 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\smss.exe 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened for modification C:\Windows\SysWOW64\smss.exe 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File opened for modification C:\Windows\SysWOW64\explorer.exe 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe File created C:\Windows\SysWOW64\explorer.exe 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLoadDriverPrivilege 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1360 wrote to memory of 4544 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 79 PID 1360 wrote to memory of 4544 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 79 PID 1360 wrote to memory of 4544 1360 27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe"C:\Users\Admin\AppData\Local\Temp\27b9f5ad3246b30b7415ef0e093cde21dce8c0cbdde42024c7489760150643dd.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\system32\\explorer.exe2⤵
- Modifies registry class
PID:4544
-