Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 11:33
Static task
static1
Behavioral task
behavioral1
Sample
3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe
Resource
win10v2004-20221111-en
General
-
Target
3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe
-
Size
200KB
-
MD5
1d3360c8ec2fb5d40e9fd8339f337d40
-
SHA1
88da67db93ce07bce2c082b99ac2d79579f9b27c
-
SHA256
3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0
-
SHA512
b7861938114c2d3a2275e7ac1750d61cd3b0bfa55b89b32fbcd894cddc5c1f7e8ed930b704ac95040bcd0e67323201835508059eb599e84c2213ca09811d2b4d
-
SSDEEP
6144:k00zTTCTee2f2cKpFynL/w6Nz40VCk0unquc6LdMjn:n0BKpUnTw6NziD
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2D83C22-13DF-FC37-4D1D-15FBA363C062} 3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2D83C22-13DF-FC37-4D1D-15FBA363C062}\stubpath = "%SystemRoot%\\system32\\V3Medic.exe" 3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\V3Medic.exe 3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe File opened for modification C:\Windows\SysWOW64\V3Medic.exe 3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3428 3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3428 wrote to memory of 4996 3428 3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe 84 PID 3428 wrote to memory of 4996 3428 3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe 84 PID 3428 wrote to memory of 4996 3428 3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe 84 PID 3428 wrote to memory of 4692 3428 3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe 97 PID 3428 wrote to memory of 4692 3428 3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe 97 PID 3428 wrote to memory of 4692 3428 3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe"C:\Users\Admin\AppData\Local\Temp\3a929186d2486a9a1dc002b1746ebad0d794563c7770fc004661ee765f7a6fd0.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{C2D83C22-13DF-FC37-4D1D-15FBA363C062}" /f2⤵PID:4996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3A9291~1.EXE > nul2⤵PID:4692
-