Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 21:42
Static task
static1
Behavioral task
behavioral1
Sample
d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2.exe
Resource
win10v2004-20221111-en
General
-
Target
d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2.exe
-
Size
284KB
-
MD5
d1983e2c4b8ffe2255a0c6b36bcf82e8
-
SHA1
0e884d568e2bf02ca2773519fdc5d74a6a6c3b0b
-
SHA256
d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2
-
SHA512
293a7770d0d061cf575e793838b7b5175d5ff6bb50fd97c1f090926093789193853d12c2de58d4390dfa9c5c0b446e6c86d24d2fbf52f2975fdc16cc3280220c
-
SSDEEP
6144:wHogBfdMhCuPz9ww5uZbFxaSsBk3+ufkVsXXkSGdG+:5QupwGgbjPsBBuf05JdG+
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 208 d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2.exe 4008 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Uwap\Hqwipxmoq.jpg d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2.exe File created C:\Program Files (x86)\Uwap\Hqwipxmoq.jpg d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\windows\xinstall1073500.dll d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2.exe File opened for modification C:\windows\xinstall1073500.dll d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe 4008 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 208 d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2.exe Token: SeRestorePrivilege 208 d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2.exe Token: SeBackupPrivilege 208 d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2.exe Token: SeRestorePrivilege 208 d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2.exe Token: SeBackupPrivilege 208 d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2.exe Token: SeRestorePrivilege 208 d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2.exe Token: SeBackupPrivilege 208 d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2.exe Token: SeRestorePrivilege 208 d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2.exe"C:\Users\Admin\AppData\Local\Temp\d7df79f55177f6bbf980c0526ec7f93c39ae5ff58f4e1684e5d3c8ec4e7681b2.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:208
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k sougou1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4008
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD51b8ef40fce666d9cd84cf644ffb770c9
SHA1f2ee543a63576ccbd6dbfee5260a5e56ca8bd1df
SHA256847e6cd6989af44c7cd1c91affcdb0d8783cc617ab331c2ad15ded2121873df8
SHA5123aaa23966048678a9571a3cb0d7a0c91c74463c626c571d78200f20aca0f6ef00ed4b5153b9eb2982cb9c63c9157e87440c26470e4e735a46428a520120790db
-
Filesize
210KB
MD5c8db214ac7ad44911a2423858151f796
SHA1785910bef3ac03d6e9ee3b6028c4081fd26e405c
SHA256ec1338cc54c91086f71dc99de97deab89c6b0155a2974ea452e72ec57fad146a
SHA512ebcc9149b1d8dea9c95f135a208a32ac1cdfe9d9eec67b590c1a17c704986283f18c8395b4a6d9136f99dd2ec2a977b2ab19a493bbc6dfc4f4dc9794c644c7a1
-
Filesize
210KB
MD5c8db214ac7ad44911a2423858151f796
SHA1785910bef3ac03d6e9ee3b6028c4081fd26e405c
SHA256ec1338cc54c91086f71dc99de97deab89c6b0155a2974ea452e72ec57fad146a
SHA512ebcc9149b1d8dea9c95f135a208a32ac1cdfe9d9eec67b590c1a17c704986283f18c8395b4a6d9136f99dd2ec2a977b2ab19a493bbc6dfc4f4dc9794c644c7a1
-
Filesize
133B
MD5a80017ba31f33ba697532d4559fa8f35
SHA12d8d039ddcf141149ab827ad24169e9cfacaeae0
SHA2564c22842aaa7556533059fd76628a42d65ed38891abffc10873d2e812be4de8d7
SHA512a6519f7e56bc34a9b315f0e2cbdc5007fd1efa434b075c14b66f7e2a4ee05a22c8550f10a14a198edba048ad457aef2bf829666b009a60f34ac3d46006324b82
-
Filesize
228KB
MD51b8ef40fce666d9cd84cf644ffb770c9
SHA1f2ee543a63576ccbd6dbfee5260a5e56ca8bd1df
SHA256847e6cd6989af44c7cd1c91affcdb0d8783cc617ab331c2ad15ded2121873df8
SHA5123aaa23966048678a9571a3cb0d7a0c91c74463c626c571d78200f20aca0f6ef00ed4b5153b9eb2982cb9c63c9157e87440c26470e4e735a46428a520120790db