Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 17:09
Static task
static1
Behavioral task
behavioral1
Sample
2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe
Resource
win10v2004-20220812-en
General
-
Target
2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe
-
Size
97KB
-
MD5
60bb7ba0b162e56e1aa921c5f153db10
-
SHA1
0f73228e1743528c830806716ed8efb9f706a4ab
-
SHA256
2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5
-
SHA512
2b7b920c13ae133c72094ffea22f496ecc775520fbbef96b3051faed8f702e5120117f76aeaff02db96a38860328a300799dc2a37dbd893288ac27ebb38e97cd
-
SSDEEP
3072:SYL6Ya2MPk+PIoGuNxwQeRqhJ04aMuzE1vDgyjOkVo:SYeYhMxIoGuW+0H5Y502x2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4568 Slave.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Slave.exe 2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe File created C:\Windows\Slave.exe 2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Slave.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Slave.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Slave.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Slave.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Slave.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4200 2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe 4200 2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe 4200 2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe 4200 2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeLockMemoryPrivilege 4200 2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe Token: SeIncBasePriorityPrivilege 4200 2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe Token: SeSecurityPrivilege 4200 2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe Token: SeShutdownPrivilege 4200 2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe Token: SeTcbPrivilege 4200 2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe Token: SeLockMemoryPrivilege 4568 Slave.exe Token: SeIncBasePriorityPrivilege 4568 Slave.exe Token: SeSecurityPrivilege 4568 Slave.exe Token: SeShutdownPrivilege 4568 Slave.exe Token: SeTcbPrivilege 4568 Slave.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
pid Process 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe 4568 Slave.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe"C:\Users\Admin\AppData\Local\Temp\2ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
C:\Windows\Slave.exeC:\Windows\Slave.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD560bb7ba0b162e56e1aa921c5f153db10
SHA10f73228e1743528c830806716ed8efb9f706a4ab
SHA2562ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5
SHA5122b7b920c13ae133c72094ffea22f496ecc775520fbbef96b3051faed8f702e5120117f76aeaff02db96a38860328a300799dc2a37dbd893288ac27ebb38e97cd
-
Filesize
97KB
MD560bb7ba0b162e56e1aa921c5f153db10
SHA10f73228e1743528c830806716ed8efb9f706a4ab
SHA2562ea886dad13369fd852d2eef27d40e9491d55b54ad47ece2ea7f2c121e2095f5
SHA5122b7b920c13ae133c72094ffea22f496ecc775520fbbef96b3051faed8f702e5120117f76aeaff02db96a38860328a300799dc2a37dbd893288ac27ebb38e97cd
-
Filesize
371B
MD57f7c5462fca3eac462eabf19669fd7b5
SHA18381b18d1cfbf49a5e8c7e9499f9abc45f7e8311
SHA2564148fc7b92e29a44f8c044460cbc4dda050844fb84b598b5f7e975e3ebc1a9a5
SHA5125f7b9e07a3c2b6e0d8158fe6e7afa06eb523d038c78ae287987750d48610a3313c1902fa901fef76cb96d51067f298315dd0e8001be58e6c81ba74cbf8e27d48