Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2022, 03:10
Static task
static1
Behavioral task
behavioral1
Sample
fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe
Resource
win10v2004-20220812-en
General
-
Target
fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe
-
Size
688KB
-
MD5
55e82d0a0ee538ff911e36730ee8da40
-
SHA1
ffe4ffda16f1ef21ff6a57265aa93f1d6d84f222
-
SHA256
fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8
-
SHA512
823998123b6a03a52dc907279ad237b1035c07df197a4a1dd3027605211b81492f45d0d9ad2468291ffb57aab31c154b627f09b965e2138e73d38a50f2c69c7a
-
SSDEEP
6144:WTXUblJm7Cu9/cHDWLk9bLNZRgWLkmKc0VxS4ZJIh8q8x9dBrtdchM+GO:2UzmZGDp9bLNLgpl5Vxm8vdTEG
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6815cdb9 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{F7979D85-1DC7-48CC-A64A-A24B25B2F4AC}\\6815cdb9.exe" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6815cdb9 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{F7979D85-1DC7-48CC-A64A-A24B25B2F4AC}\\6815cdb9.exe" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4924 set thread context of 4212 4924 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 84 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4924 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 4924 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4212 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 4212 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4924 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe Token: SeDebugPrivilege 2704 svchost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4924 wrote to memory of 1836 4924 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 83 PID 4924 wrote to memory of 1836 4924 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 83 PID 4924 wrote to memory of 1836 4924 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 83 PID 4924 wrote to memory of 4212 4924 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 84 PID 4924 wrote to memory of 4212 4924 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 84 PID 4924 wrote to memory of 4212 4924 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 84 PID 4924 wrote to memory of 4212 4924 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 84 PID 4924 wrote to memory of 4212 4924 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 84 PID 4924 wrote to memory of 4212 4924 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 84 PID 4924 wrote to memory of 4212 4924 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 84 PID 4924 wrote to memory of 4212 4924 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 84 PID 4924 wrote to memory of 4212 4924 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 84 PID 4924 wrote to memory of 4212 4924 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 84 PID 4212 wrote to memory of 2704 4212 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 85 PID 4212 wrote to memory of 2704 4212 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 85 PID 4212 wrote to memory of 2704 4212 fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe"C:\Users\Admin\AppData\Local\Temp\fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe"C:\Users\Admin\AppData\Local\Temp\fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe"2⤵PID:1836
-
-
C:\Users\Admin\AppData\Local\Temp\fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe"C:\Users\Admin\AppData\Local\Temp\fa28a5a8adb0dc346377f393c7a0882c1c8d122c62d84d8ea39a784bc997b6e8.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-