Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
158s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 00:08
Static task
static1
Behavioral task
behavioral1
Sample
469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe
Resource
win10v2004-20221111-en
General
-
Target
469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe
-
Size
284KB
-
MD5
92899c19b0977d43df5670542f802a79
-
SHA1
2700281fba4ac7c17b4ad61ee41a74f4eea94102
-
SHA256
469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082
-
SHA512
e19de32f0a78b57f8e97c4780c220802a320829a2b59e874152d3ed5ab9313dcc1e52545d9a7a33124c3a883fd858021e0ad2ae0e4480ff1e5c25126882fda2a
-
SSDEEP
3072:Arv/up5dv5aiqa+99NpK059azTS6JJvoWQCWuADqomV2I2x9wZZrdr8RpRDvpgXu:ALupD5axNhwgRqomMZwHribDeg4z4LZ
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3336 set thread context of 5024 3336 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 83 PID 5024 set thread context of 4204 5024 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 84 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4204 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 4204 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 4204 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4204 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3336 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 5024 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3336 wrote to memory of 5024 3336 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 83 PID 3336 wrote to memory of 5024 3336 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 83 PID 3336 wrote to memory of 5024 3336 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 83 PID 3336 wrote to memory of 5024 3336 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 83 PID 3336 wrote to memory of 5024 3336 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 83 PID 3336 wrote to memory of 5024 3336 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 83 PID 3336 wrote to memory of 5024 3336 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 83 PID 3336 wrote to memory of 5024 3336 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 83 PID 5024 wrote to memory of 4204 5024 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 84 PID 5024 wrote to memory of 4204 5024 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 84 PID 5024 wrote to memory of 4204 5024 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 84 PID 5024 wrote to memory of 4204 5024 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 84 PID 5024 wrote to memory of 4204 5024 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 84 PID 5024 wrote to memory of 4204 5024 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 84 PID 5024 wrote to memory of 4204 5024 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 84 PID 5024 wrote to memory of 4204 5024 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 84 PID 5024 wrote to memory of 4204 5024 469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe"C:\Users\Admin\AppData\Local\Temp\469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Users\Admin\AppData\Local\Temp\469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe"C:\Users\Admin\AppData\Local\Temp\469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe"C:\Users\Admin\AppData\Local\Temp\469501c5f6aa76ff3ee40a61854e80ce11875599f4657557994e417b4036b082.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-