Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30/01/2023, 13:18
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
7 signatures
150 seconds
General
-
Target
file.exe
-
Size
604KB
-
MD5
a9c03263c6dd4a1b672955a5ecadc1ff
-
SHA1
01e2477f49e9916866469e2117e77d55aa613b89
-
SHA256
fb53d9d52d8bb79d32983a428e7b7067952818cee896209c8c08c8de93de7680
-
SHA512
4320605e2d21e5a972fcf922c08474653f8a76965dc29704247b83453ea753844e3db7891e451c2ea8f9a6fd1405b96c8f79a0a95d821ef64791b584563257ba
-
SSDEEP
12288:Fq9i2SvYr3DzQpRqubbdC5QIF/QydtyvscBJeEZLI1kdKKbF7u3fkhJYAP:A9HzHE+mCzQydV6EF4aU
Score
5/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2824 set thread context of 4328 2824 file.exe 86 PID 4328 set thread context of 2416 4328 Caspol.exe 39 PID 1084 set thread context of 2416 1084 wlanext.exe 39 -
description ioc Process Key created \Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 4328 Caspol.exe 4328 Caspol.exe 4328 Caspol.exe 4328 Caspol.exe 4328 Caspol.exe 4328 Caspol.exe 4328 Caspol.exe 4328 Caspol.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2416 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 4328 Caspol.exe 4328 Caspol.exe 4328 Caspol.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe 1084 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 4328 Caspol.exe Token: SeDebugPrivilege 1084 wlanext.exe Token: SeShutdownPrivilege 2416 Explorer.EXE Token: SeCreatePagefilePrivilege 2416 Explorer.EXE Token: SeShutdownPrivilege 2416 Explorer.EXE Token: SeCreatePagefilePrivilege 2416 Explorer.EXE Token: SeShutdownPrivilege 2416 Explorer.EXE Token: SeCreatePagefilePrivilege 2416 Explorer.EXE Token: SeShutdownPrivilege 2416 Explorer.EXE Token: SeCreatePagefilePrivilege 2416 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2824 wrote to memory of 4328 2824 file.exe 86 PID 2824 wrote to memory of 4328 2824 file.exe 86 PID 2824 wrote to memory of 4328 2824 file.exe 86 PID 2824 wrote to memory of 4328 2824 file.exe 86 PID 2824 wrote to memory of 4328 2824 file.exe 86 PID 2824 wrote to memory of 4328 2824 file.exe 86 PID 2416 wrote to memory of 1084 2416 Explorer.EXE 87 PID 2416 wrote to memory of 1084 2416 Explorer.EXE 87 PID 2416 wrote to memory of 1084 2416 Explorer.EXE 87 PID 1084 wrote to memory of 3972 1084 wlanext.exe 89 PID 1084 wrote to memory of 3972 1084 wlanext.exe 89 PID 1084 wrote to memory of 3972 1084 wlanext.exe 89
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:3972
-
-