Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
99s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2023, 20:23
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
1.0MB
-
MD5
2a2b9b0930e3d96f9e97266d09578ae8
-
SHA1
22bfab8b38cdae66c875177d7c892c1d364f4411
-
SHA256
f92f1e572619dfa04356daf942f6d86295a4f02ade18b4826077cb3a3c1d95a1
-
SHA512
a9abc90646544dc0f2f76d1641518f0a611e990bbfa72a9af28f0b9f48c986edea42ce5d65ccb3e67658d5d6aba762e8135fd6251a8db244379ca81ae0717f1f
-
SSDEEP
24576:Y4/fET1abjXthYpsn0Ji0ttp8/IBp0cKD/WAXwDo2qyIN94j:YAmqh+W0JiWWGiDWAXb/yINy
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4572-132-0x0000000000400000-0x00000000006B9000-memory.dmp upx behavioral2/memory/4572-135-0x0000000000400000-0x00000000006B9000-memory.dmp upx behavioral2/memory/4572-136-0x0000000000400000-0x00000000006B9000-memory.dmp upx -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2468 WMIC.exe Token: SeSecurityPrivilege 2468 WMIC.exe Token: SeTakeOwnershipPrivilege 2468 WMIC.exe Token: SeLoadDriverPrivilege 2468 WMIC.exe Token: SeSystemProfilePrivilege 2468 WMIC.exe Token: SeSystemtimePrivilege 2468 WMIC.exe Token: SeProfSingleProcessPrivilege 2468 WMIC.exe Token: SeIncBasePriorityPrivilege 2468 WMIC.exe Token: SeCreatePagefilePrivilege 2468 WMIC.exe Token: SeBackupPrivilege 2468 WMIC.exe Token: SeRestorePrivilege 2468 WMIC.exe Token: SeShutdownPrivilege 2468 WMIC.exe Token: SeDebugPrivilege 2468 WMIC.exe Token: SeSystemEnvironmentPrivilege 2468 WMIC.exe Token: SeRemoteShutdownPrivilege 2468 WMIC.exe Token: SeUndockPrivilege 2468 WMIC.exe Token: SeManageVolumePrivilege 2468 WMIC.exe Token: 33 2468 WMIC.exe Token: 34 2468 WMIC.exe Token: 35 2468 WMIC.exe Token: 36 2468 WMIC.exe Token: SeIncreaseQuotaPrivilege 2468 WMIC.exe Token: SeSecurityPrivilege 2468 WMIC.exe Token: SeTakeOwnershipPrivilege 2468 WMIC.exe Token: SeLoadDriverPrivilege 2468 WMIC.exe Token: SeSystemProfilePrivilege 2468 WMIC.exe Token: SeSystemtimePrivilege 2468 WMIC.exe Token: SeProfSingleProcessPrivilege 2468 WMIC.exe Token: SeIncBasePriorityPrivilege 2468 WMIC.exe Token: SeCreatePagefilePrivilege 2468 WMIC.exe Token: SeBackupPrivilege 2468 WMIC.exe Token: SeRestorePrivilege 2468 WMIC.exe Token: SeShutdownPrivilege 2468 WMIC.exe Token: SeDebugPrivilege 2468 WMIC.exe Token: SeSystemEnvironmentPrivilege 2468 WMIC.exe Token: SeRemoteShutdownPrivilege 2468 WMIC.exe Token: SeUndockPrivilege 2468 WMIC.exe Token: SeManageVolumePrivilege 2468 WMIC.exe Token: 33 2468 WMIC.exe Token: 34 2468 WMIC.exe Token: 35 2468 WMIC.exe Token: 36 2468 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4572 wrote to memory of 4740 4572 tmp.exe 77 PID 4572 wrote to memory of 4740 4572 tmp.exe 77 PID 4740 wrote to memory of 2468 4740 cmd.exe 79 PID 4740 wrote to memory of 2468 4740 cmd.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-