Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
103s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 13:06
Static task
static1
Behavioral task
behavioral1
Sample
b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d.exe
Resource
win10v2004-20220901-en
General
-
Target
b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d.exe
-
Size
140KB
-
MD5
ba8db3db1620653c676f80e8f79bff06
-
SHA1
43fdead135ad02559ee63904fb144f38ce48171b
-
SHA256
b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d
-
SHA512
113077f5941ed690df17697f5570075563f12d1e880c8013c586d5db428bd4a863bfaddd6dc7f2c1de99a2ceb78cc35b831d671f409ae8fb2974357391080423
-
SSDEEP
3072:jlIgGTD+E3ZwOx1yh9SdADxL0yYSsU4JKTBfjlyg//c:jlITTDXNyhDayYSsWTB7lyg//
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3276 noskrnl.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1420 netsh.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noskrnl = "C:\\Windows\\noskrnl.exe" b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\noskrnl.sys noskrnl.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\noskrnl.config noskrnl.exe File created C:\Windows\noskrnl.exe b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d.exe File opened for modification C:\Windows\noskrnl.exe b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d.exe File created C:\Windows\noskrnl.config noskrnl.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 668 Process not Found -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2804 wrote to memory of 1152 2804 b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d.exe 82 PID 2804 wrote to memory of 1152 2804 b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d.exe 82 PID 2804 wrote to memory of 1152 2804 b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d.exe 82 PID 2804 wrote to memory of 1128 2804 b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d.exe 83 PID 2804 wrote to memory of 1128 2804 b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d.exe 83 PID 2804 wrote to memory of 1128 2804 b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d.exe 83 PID 2804 wrote to memory of 3276 2804 b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d.exe 86 PID 2804 wrote to memory of 3276 2804 b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d.exe 86 PID 2804 wrote to memory of 3276 2804 b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d.exe 86 PID 1128 wrote to memory of 1780 1128 w32tm.exe 90 PID 1128 wrote to memory of 1780 1128 w32tm.exe 90 PID 3276 wrote to memory of 1420 3276 noskrnl.exe 87 PID 3276 wrote to memory of 1420 3276 noskrnl.exe 87 PID 3276 wrote to memory of 1420 3276 noskrnl.exe 87 PID 1152 wrote to memory of 4072 1152 w32tm.exe 88 PID 1152 wrote to memory of 4072 1152 w32tm.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d.exe"C:\Users\Admin\AppData\Local\Temp\b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\w32tm.exew32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov2⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\system32\w32tm.exew32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov3⤵PID:4072
-
-
-
C:\Windows\SysWOW64\w32tm.exew32tm /config /update2⤵
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\system32\w32tm.exew32tm /config /update3⤵PID:1780
-
-
-
C:\Windows\noskrnl.exe"C:\Windows\noskrnl.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set allowedprogram "C:\Windows\noskrnl.exe" enable3⤵
- Modifies Windows Firewall
PID:1420
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD5ba8db3db1620653c676f80e8f79bff06
SHA143fdead135ad02559ee63904fb144f38ce48171b
SHA256b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d
SHA512113077f5941ed690df17697f5570075563f12d1e880c8013c586d5db428bd4a863bfaddd6dc7f2c1de99a2ceb78cc35b831d671f409ae8fb2974357391080423
-
Filesize
140KB
MD5ba8db3db1620653c676f80e8f79bff06
SHA143fdead135ad02559ee63904fb144f38ce48171b
SHA256b92a73dafe4847c635d031f9a0a4963d32336f65e179a49050c2bf8dc97d800d
SHA512113077f5941ed690df17697f5570075563f12d1e880c8013c586d5db428bd4a863bfaddd6dc7f2c1de99a2ceb78cc35b831d671f409ae8fb2974357391080423