Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 22:43
Static task
static1
Behavioral task
behavioral1
Sample
76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
Resource
win10v2004-20221111-en
General
-
Target
76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
-
Size
60KB
-
MD5
a0068ae7ff0080ef15e60e1d213c53b1
-
SHA1
1685fd8007c01c2efc9f273f092cda13141fb0eb
-
SHA256
76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e
-
SHA512
f71440dbfa9780d7edb4691a1a353099f4408b05479d7d91b9406a988fa3d15cebe196662306ea9aaad75d9c6a1a8f7659fb7c04568e455411768aec861d35cb
-
SSDEEP
768:ukpLA8BtBV0QJcW5wqInmNSfyvwx+BKXCJW+trdvsWCJn66kvORBX80X/s:3kQJcqwmIfj+ECJG/kvO40vs
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 1 IoCs
pid Process 3556 wmimgmt.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2228 tasklist.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 3704 systeminfo.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeBackupPrivilege 1528 76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe Token: SeBackupPrivilege 1528 76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe Token: SeBackupPrivilege 1528 76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe Token: SeRestorePrivilege 1528 76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe Token: SeBackupPrivilege 1528 76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe Token: SeBackupPrivilege 1528 76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe Token: SeBackupPrivilege 1528 76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe Token: SeRestorePrivilege 1528 76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe Token: SeBackupPrivilege 1528 76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe Token: SeRestorePrivilege 1528 76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe Token: SeBackupPrivilege 1528 76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe Token: SeRestorePrivilege 1528 76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe Token: SeBackupPrivilege 3556 wmimgmt.exe Token: SeBackupPrivilege 3556 wmimgmt.exe Token: SeBackupPrivilege 3556 wmimgmt.exe Token: SeRestorePrivilege 3556 wmimgmt.exe Token: SeBackupPrivilege 3556 wmimgmt.exe Token: SeBackupPrivilege 3556 wmimgmt.exe Token: SeBackupPrivilege 3556 wmimgmt.exe Token: SeBackupPrivilege 3556 wmimgmt.exe Token: SeBackupPrivilege 3556 wmimgmt.exe Token: SeBackupPrivilege 3556 wmimgmt.exe Token: SeBackupPrivilege 3556 wmimgmt.exe Token: SeRestorePrivilege 3556 wmimgmt.exe Token: SeBackupPrivilege 3556 wmimgmt.exe Token: SeBackupPrivilege 3556 wmimgmt.exe Token: SeBackupPrivilege 3556 wmimgmt.exe Token: SeBackupPrivilege 3556 wmimgmt.exe Token: SeDebugPrivilege 2228 tasklist.exe Token: SeBackupPrivilege 3556 wmimgmt.exe Token: SeBackupPrivilege 3556 wmimgmt.exe Token: SeBackupPrivilege 3556 wmimgmt.exe Token: SeBackupPrivilege 3556 wmimgmt.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1528 wrote to memory of 3556 1528 76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe 84 PID 1528 wrote to memory of 3556 1528 76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe 84 PID 1528 wrote to memory of 3556 1528 76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe 84 PID 3556 wrote to memory of 1508 3556 wmimgmt.exe 89 PID 3556 wrote to memory of 1508 3556 wmimgmt.exe 89 PID 3556 wrote to memory of 1508 3556 wmimgmt.exe 89 PID 1508 wrote to memory of 3976 1508 cmd.exe 91 PID 1508 wrote to memory of 3976 1508 cmd.exe 91 PID 1508 wrote to memory of 3976 1508 cmd.exe 91 PID 1508 wrote to memory of 1020 1508 cmd.exe 94 PID 1508 wrote to memory of 1020 1508 cmd.exe 94 PID 1508 wrote to memory of 1020 1508 cmd.exe 94 PID 1508 wrote to memory of 4856 1508 cmd.exe 95 PID 1508 wrote to memory of 4856 1508 cmd.exe 95 PID 1508 wrote to memory of 4856 1508 cmd.exe 95 PID 4856 wrote to memory of 4120 4856 net.exe 96 PID 4856 wrote to memory of 4120 4856 net.exe 96 PID 4856 wrote to memory of 4120 4856 net.exe 96 PID 1508 wrote to memory of 3908 1508 cmd.exe 97 PID 1508 wrote to memory of 3908 1508 cmd.exe 97 PID 1508 wrote to memory of 3908 1508 cmd.exe 97 PID 3908 wrote to memory of 4708 3908 net.exe 98 PID 3908 wrote to memory of 4708 3908 net.exe 98 PID 3908 wrote to memory of 4708 3908 net.exe 98 PID 1508 wrote to memory of 2228 1508 cmd.exe 99 PID 1508 wrote to memory of 2228 1508 cmd.exe 99 PID 1508 wrote to memory of 2228 1508 cmd.exe 99 PID 1508 wrote to memory of 3704 1508 cmd.exe 101 PID 1508 wrote to memory of 3704 1508 cmd.exe 101 PID 1508 wrote to memory of 3704 1508 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe"C:\Users\Admin\AppData\Local\Temp\76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\ProgramData\Application Data\wmimgmt.exe"C:\ProgramData\Application Data\wmimgmt.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\findstr.exefindstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt4⤵PID:3976
-
-
C:\Windows\SysWOW64\chcp.comchcp4⤵PID:1020
-
-
C:\Windows\SysWOW64\net.exenet user4⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵PID:4120
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵PID:4708
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:3704
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5a0068ae7ff0080ef15e60e1d213c53b1
SHA11685fd8007c01c2efc9f273f092cda13141fb0eb
SHA25676d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e
SHA512f71440dbfa9780d7edb4691a1a353099f4408b05479d7d91b9406a988fa3d15cebe196662306ea9aaad75d9c6a1a8f7659fb7c04568e455411768aec861d35cb
-
Filesize
60KB
MD5a0068ae7ff0080ef15e60e1d213c53b1
SHA11685fd8007c01c2efc9f273f092cda13141fb0eb
SHA25676d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e
SHA512f71440dbfa9780d7edb4691a1a353099f4408b05479d7d91b9406a988fa3d15cebe196662306ea9aaad75d9c6a1a8f7659fb7c04568e455411768aec861d35cb
-
Filesize
49B
MD52fa848e6957ded59d3105baff2173502
SHA169ac17fab606ccaf02eab35dcee4ef0d8030f572
SHA25650ddb97831bd430b8433f5b5e823f1be7bf84a3fdbc10571cf609d3456007bd5
SHA5126c58cc68d1bdf0334f438719ede384267fffd26df94996d7762dc12d3dc952282afc07d244eada6f3459a1ac75b61588125b05d4a2790884dd97b6a72db2450e
-
Filesize
4KB
MD5b91bc08162fbc3445c5424b77183b807
SHA152b2a60db40cdcc655648a65210ed26219c033e1
SHA2567cec366268426139777f0776ba3cbce6a50f4112a96fa88190bee2ebe665275a
SHA5122f19fe96209dcb4e189a8fecddcac40ebed8ce0c6999a469268b57e74e9e830a7b03c1d024c616797ae9029a4566fa96006f29e1fa042bca1534d1d815ae8b35