Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 21:08
Static task
static1
Behavioral task
behavioral1
Sample
921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe
Resource
win10v2004-20220901-en
General
-
Target
921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe
-
Size
25KB
-
MD5
db9f922b7999fa8ea609c4c260e724d0
-
SHA1
8457bf31475077f654d020ac1c7fce9a424a4bd4
-
SHA256
921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766
-
SHA512
9aee84ae130dd78e01e311a19ffe583c75486dfdf28e067ca5081df584cc184f810d82ef496d2b1c5feb1ec0da98365a299e017ee94cd4ce51aa892aeb509cc9
-
SSDEEP
768:mddMm/3yuVR9ZEwhjlTpGf+iU3H8u+IheO17y5ra:mdS2L7pj2BGL+IheuCra
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeBackupPrivilege 4928 921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe Token: SeRestorePrivilege 4928 921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe Token: SeRestorePrivilege 4928 921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe Token: SeRestorePrivilege 4928 921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe Token: SeRestorePrivilege 4928 921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe Token: SeBackupPrivilege 4928 921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe Token: SeRestorePrivilege 4928 921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe Token: SeRestorePrivilege 4928 921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe Token: SeRestorePrivilege 4928 921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe Token: SeRestorePrivilege 4928 921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4928 wrote to memory of 1344 4928 921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe 81 PID 4928 wrote to memory of 1344 4928 921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe 81 PID 4928 wrote to memory of 1344 4928 921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe"C:\Users\Admin\AppData\Local\Temp\921746cf8489711fa5789d29f35d5094c7fba9c6724332f2a2999e4b02344766.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:1344
-