Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
63s -
max time network
100s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29/11/2022, 06:51
Behavioral task
behavioral1
Sample
8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe
Resource
win10v2004-20220901-en
Errors
General
-
Target
8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe
-
Size
85KB
-
MD5
7f07b1d8c3e93203a5d9cb71fc57f139
-
SHA1
9bf82f08b7f635193775a9741e92177d85cf41a0
-
SHA256
8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e
-
SHA512
d08ad6c19cb6ce37ba6a2cc9bbd9d34fc17f2b9cef6e3a5132f6b536c929d7875a4a69051008794a8dd142a474906a9b4d779709555edb2f337d84056e98b255
-
SSDEEP
1536:UKy7x3cuklIn2ecXFX/Hcb+KeWSek4CcKn3S0b0I1mwOtg5:UKkxsmZc5/HNH+U11mftk
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x000a0000000122fb-63.dat aspack_v212_v242 behavioral1/files/0x000a0000000122fb-64.dat aspack_v212_v242 behavioral1/files/0x000a0000000122fb-71.dat aspack_v212_v242 behavioral1/files/0x000a0000000122fb-70.dat aspack_v212_v242 behavioral1/files/0x000a0000000122fb-66.dat aspack_v212_v242 behavioral1/files/0x000a0000000122fb-76.dat aspack_v212_v242 -
Executes dropped EXE 2 IoCs
pid Process 2016 x2z8.exe 1124 x2z8.exe -
Deletes itself 1 IoCs
pid Process 1124 x2z8.exe -
Loads dropped DLL 3 IoCs
pid Process 1220 8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe 1220 8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe 2016 x2z8.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 x2z8.exe File opened for modification \??\PHYSICALDRIVE0 8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1108 set thread context of 1220 1108 8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe 28 PID 2016 set thread context of 1124 2016 x2z8.exe 30 -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeShutdownPrivilege 1124 x2z8.exe Token: 33 1696 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1696 AUDIODG.EXE Token: 33 1696 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1696 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1108 wrote to memory of 1220 1108 8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe 28 PID 1108 wrote to memory of 1220 1108 8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe 28 PID 1108 wrote to memory of 1220 1108 8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe 28 PID 1108 wrote to memory of 1220 1108 8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe 28 PID 1108 wrote to memory of 1220 1108 8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe 28 PID 1108 wrote to memory of 1220 1108 8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe 28 PID 1220 wrote to memory of 2016 1220 8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe 29 PID 1220 wrote to memory of 2016 1220 8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe 29 PID 1220 wrote to memory of 2016 1220 8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe 29 PID 1220 wrote to memory of 2016 1220 8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe 29 PID 2016 wrote to memory of 1124 2016 x2z8.exe 30 PID 2016 wrote to memory of 1124 2016 x2z8.exe 30 PID 2016 wrote to memory of 1124 2016 x2z8.exe 30 PID 2016 wrote to memory of 1124 2016 x2z8.exe 30 PID 2016 wrote to memory of 1124 2016 x2z8.exe 30 PID 2016 wrote to memory of 1124 2016 x2z8.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe"C:\Users\Admin\AppData\Local\Temp\8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe"C:\Users\Admin\AppData\Local\Temp\8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe"2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\x2z8.exeC:\Users\Admin\AppData\Local\Temp\\x2z8.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\x2z8.exe"C:\Users\Admin\AppData\Local\Temp\x2z8.exe"4⤵
- Executes dropped EXE
- Deletes itself
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1916
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5641⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5ef3660284c6ff2a2984b86ca774c351b
SHA14566d598b06ee8228411c01055730a32bf54907a
SHA256b579f3891d9a0248addf9653eca740a273f2aa53c1ae0b99c60d1ca947ee3a34
SHA5126d5fb318f85c4cd6ece4cd456797c2399a69efe63b1a8d9ff9c5200f84af5a688fe783de130bd2d17de95a6b2255c373a78f88a431484207c4efca276fd556b1
-
Filesize
85KB
MD57f07b1d8c3e93203a5d9cb71fc57f139
SHA19bf82f08b7f635193775a9741e92177d85cf41a0
SHA2568281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e
SHA512d08ad6c19cb6ce37ba6a2cc9bbd9d34fc17f2b9cef6e3a5132f6b536c929d7875a4a69051008794a8dd142a474906a9b4d779709555edb2f337d84056e98b255
-
Filesize
85KB
MD57f07b1d8c3e93203a5d9cb71fc57f139
SHA19bf82f08b7f635193775a9741e92177d85cf41a0
SHA2568281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e
SHA512d08ad6c19cb6ce37ba6a2cc9bbd9d34fc17f2b9cef6e3a5132f6b536c929d7875a4a69051008794a8dd142a474906a9b4d779709555edb2f337d84056e98b255
-
Filesize
85KB
MD57f07b1d8c3e93203a5d9cb71fc57f139
SHA19bf82f08b7f635193775a9741e92177d85cf41a0
SHA2568281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e
SHA512d08ad6c19cb6ce37ba6a2cc9bbd9d34fc17f2b9cef6e3a5132f6b536c929d7875a4a69051008794a8dd142a474906a9b4d779709555edb2f337d84056e98b255
-
Filesize
85KB
MD57f07b1d8c3e93203a5d9cb71fc57f139
SHA19bf82f08b7f635193775a9741e92177d85cf41a0
SHA2568281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e
SHA512d08ad6c19cb6ce37ba6a2cc9bbd9d34fc17f2b9cef6e3a5132f6b536c929d7875a4a69051008794a8dd142a474906a9b4d779709555edb2f337d84056e98b255
-
Filesize
85KB
MD57f07b1d8c3e93203a5d9cb71fc57f139
SHA19bf82f08b7f635193775a9741e92177d85cf41a0
SHA2568281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e
SHA512d08ad6c19cb6ce37ba6a2cc9bbd9d34fc17f2b9cef6e3a5132f6b536c929d7875a4a69051008794a8dd142a474906a9b4d779709555edb2f337d84056e98b255
-
Filesize
85KB
MD57f07b1d8c3e93203a5d9cb71fc57f139
SHA19bf82f08b7f635193775a9741e92177d85cf41a0
SHA2568281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e
SHA512d08ad6c19cb6ce37ba6a2cc9bbd9d34fc17f2b9cef6e3a5132f6b536c929d7875a4a69051008794a8dd142a474906a9b4d779709555edb2f337d84056e98b255