Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
30s -
max time network
32s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2023, 11:18
Static task
static1
Behavioral task
behavioral1
Sample
BypassCredGuard.exe
Resource
win10v2004-20221111-en
3 signatures
30 seconds
General
-
Target
BypassCredGuard.exe
-
Size
1.1MB
-
MD5
24e9af62fb9154f3fda6a72fd1afe678
-
SHA1
51239090c14895a04628a38f4c36948b4b7cc0b8
-
SHA256
7039fabc43e34d0cce367e1e6fb99cc4d76cf6dfa36b8131e57b7ee3453687fe
-
SHA512
cd6f670ac0ac896aeefb3c6ee6b445b08e9ca3f404d93ac0f3726a297c5058c923a9c8d3235eb3181ef232af807613296bcc754de8a85bb09cf991130bc6fc42
-
SSDEEP
12288:3bUzm3h0EPX3Mf3d/aRebDLOuiXhYhZjrtEt6TpeOCDodCO53z:3b0m3hhPX3eN/aRuDLOChZn9vlz
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1192 BypassCredGuard.exe 1192 BypassCredGuard.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1192 BypassCredGuard.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1192 wrote to memory of 660 1192 BypassCredGuard.exe 6 PID 1192 wrote to memory of 660 1192 BypassCredGuard.exe 6
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:660
-
C:\Users\Admin\AppData\Local\Temp\BypassCredGuard.exe"C:\Users\Admin\AppData\Local\Temp\BypassCredGuard.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192