Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
104s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 00:20
Behavioral task
behavioral1
Sample
eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe
Resource
win7-20220812-en
General
-
Target
eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe
-
Size
70KB
-
MD5
2fb0fdc1cf51c69dbfd21c77d701b4e0
-
SHA1
e59186735276d06e8efc5fbbc6a30e763cdeddbe
-
SHA256
eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470
-
SHA512
7868f7c8ddd60244d8ff2af9887c369cc4f484fddf97cb47618a7dae693251afaa6bd00e6ecd0fb438165c074d5229629dbebb23f81cb72695b234613cc99419
-
SSDEEP
1536:Qc+E19oIzg3CJuL0gZEQ5w7x3kWM0erCdqeFPF4oEF6mQ8Oc:RzjoIzg3Ci6uW3l8rCf781
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 4788 msnmsgr.exe -
resource yara_rule behavioral2/memory/3848-134-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/files/0x00040000000006d1-138.dat upx behavioral2/files/0x00040000000006d1-139.dat upx behavioral2/memory/4788-142-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/3848-143-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\msnmsgr.exe eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe File opened for modification C:\Windows\msnmsgr.exe eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe -
Runs .reg file with regedit 1 IoCs
pid Process 1928 regedit.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3848 eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe 3848 eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe 4788 msnmsgr.exe 4788 msnmsgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSystemtimePrivilege 3848 eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe Token: SeSystemtimePrivilege 3848 eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe Token: SeSystemtimePrivilege 3848 eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe Token: SeSystemtimePrivilege 3848 eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3848 eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe 3848 eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe 3848 eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe 4788 msnmsgr.exe 4788 msnmsgr.exe 4788 msnmsgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3848 wrote to memory of 1928 3848 eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe 81 PID 3848 wrote to memory of 1928 3848 eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe 81 PID 3848 wrote to memory of 1928 3848 eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe 81 PID 3848 wrote to memory of 4788 3848 eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe 82 PID 3848 wrote to memory of 4788 3848 eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe 82 PID 3848 wrote to memory of 4788 3848 eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe"C:\Users\Admin\AppData\Local\Temp\eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\regedit.exeregedit /s C:\99reg.reg2⤵
- Runs .reg file with regedit
PID:1928
-
-
C:\Windows\msnmsgr.exeC:\Windows\msnmsgr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4788
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121B
MD58c0c2a3561f09e9da4f663ebd9db06dc
SHA1060cfdaa3aa592ec1bede0c4e71a6da3baf42dd4
SHA2564c3f8b2bae6bd3dec43219df3845068964d4a2e398bc20a32e75d7379d0a1c03
SHA512b45639591a3ad789831d6b45dd5e7e5cee5e8206f3fa225e39032e1f64d4dd3e74cd367444d615fa89259176e28cfeaa03106c87e12c45d4d5e4c9975b4a8ec8
-
Filesize
70KB
MD52fb0fdc1cf51c69dbfd21c77d701b4e0
SHA1e59186735276d06e8efc5fbbc6a30e763cdeddbe
SHA256eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470
SHA5127868f7c8ddd60244d8ff2af9887c369cc4f484fddf97cb47618a7dae693251afaa6bd00e6ecd0fb438165c074d5229629dbebb23f81cb72695b234613cc99419
-
Filesize
70KB
MD52fb0fdc1cf51c69dbfd21c77d701b4e0
SHA1e59186735276d06e8efc5fbbc6a30e763cdeddbe
SHA256eab8571d92f7d5641fa969c7be6a94147f4ac488e360272f5985f3ad2e336470
SHA5127868f7c8ddd60244d8ff2af9887c369cc4f484fddf97cb47618a7dae693251afaa6bd00e6ecd0fb438165c074d5229629dbebb23f81cb72695b234613cc99419