Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2022, 03:10

General

  • Target

    fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe

  • Size

    688KB

  • MD5

    55e82d0a0ee538ff911e36730ee8da40

  • SHA1

    ffe4ffda16f1ef21ff6a57265aa93f1d6d84f222

  • SHA256

    fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8

  • SHA512

    823998123b6a03a52dc907279ad237b1035c07df197a4a1dd3027605211b81492f45d0d9ad2468291ffb57aab31c154b627f09b965e2138e73d38a50f2c69c7a

  • SSDEEP

    6144:WTXUblJm7Cu9/cHDWLk9bLNZRgWLkmKc0VxS4ZJIh8q8x9dBrtdchM+GO:2UzmZGDp9bLNLgpl5Vxm8vdTEG

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe
    "C:\Users\Admin\AppData\Local\Temp\fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Users\Admin\AppData\Local\Temp\fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe
      "C:\Users\Admin\AppData\Local\Temp\fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe"
      2⤵
        PID:1836
      • C:\Users\Admin\AppData\Local\Temp\fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe
        "C:\Users\Admin\AppData\Local\Temp\fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe"
        2⤵
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4212
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\system32\svchost.exe"
          3⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2704

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2704-141-0x0000000002BE0000-0x0000000002BE5000-memory.dmp

      Filesize

      20KB

    • memory/2704-142-0x0000000003500000-0x0000000003950000-memory.dmp

      Filesize

      4.3MB

    • memory/2704-143-0x0000000000EE0000-0x0000000000EEE000-memory.dmp

      Filesize

      56KB

    • memory/4212-135-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/4212-137-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/4212-139-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/4924-132-0x00000000748B0000-0x0000000074E61000-memory.dmp

      Filesize

      5.7MB

    • memory/4924-140-0x00000000748B0000-0x0000000074E61000-memory.dmp

      Filesize

      5.7MB