Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21/11/2022, 10:45
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220812-en
4 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
2.7MB
-
MD5
3a0cb1e57457a5363e037555b0c198a2
-
SHA1
bc285f20a0aa3c48d65d8f9ed60f3b059ee08195
-
SHA256
b1198208e9e31b019e36fe22edc2e2bbe54641448b5c0dec09b43add73684829
-
SHA512
1555d85579e4d107e4e4f9efa5e9a76f1e9bb8e7bddaf6e54f66262834d79276aa8c752333a20872ae62adcee83aadcab70cd94488feff8cac9044e906c0698f
-
SSDEEP
24576:eF4fvdjFd9qwnzw1rCw8tvpwfOE3XP/08HNNYxQtNGSYQkxChx4:eadjcwnzwewwOfBXPLNrGSYdxChx
Score
5/10
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1812 632 WerFault.exe 79 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe 632 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 632 tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 8962⤵
- Program crash
PID:1812
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 632 -ip 6321⤵PID:1352