Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
222s -
max time network
225s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2023, 05:39
Static task
static1
Behavioral task
behavioral1
Sample
wsus.exe
Resource
win7-20230220-en
1 signatures
300 seconds
Behavioral task
behavioral2
Sample
wsus.exe
Resource
win10v2004-20230220-en
6 signatures
300 seconds
General
-
Target
wsus.exe
-
Size
13KB
-
MD5
cab5fc7334d83e72802bfb4150b77190
-
SHA1
cad8ec659310a3284e5875ff58f1a33ce9755a0e
-
SHA256
c2a9988fce8ebc0fddb0335df67f16dce0ed7b0cdfb9219ba7a0eb982beb06ed
-
SHA512
0ba71d8664443eb306951c69c532e49cae512426e75a320c0954ea328ac01955ddf852abd69fa60c8cbddba3c9eb1d209cca0206d2a5bbbc22f011e564d908f6
-
SSDEEP
192:kui32jEkL5QgZHwl8j7Mlmiocon/DjO7Rsqeirv0l4ydSaJ0vbE5pz68JoZZLW3H:TE+5VHwa7CFocs/DjZqPcNSaJ0vbrT
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2172 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2172 taskmgr.exe Token: SeSystemProfilePrivilege 2172 taskmgr.exe Token: SeCreateGlobalPrivilege 2172 taskmgr.exe Token: 33 2172 taskmgr.exe Token: SeIncBasePriorityPrivilege 2172 taskmgr.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
pid Process 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe -
Suspicious use of SendNotifyMessage 51 IoCs
pid Process 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe 2172 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\wsus.exe"C:\Users\Admin\AppData\Local\Temp\wsus.exe"1⤵PID:4676
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3092
-
C:\Users\Admin\AppData\Local\Temp\wsus.exe"C:\Users\Admin\AppData\Local\Temp\wsus.exe"1⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\wsus.exe"C:\Users\Admin\AppData\Local\Temp\wsus.exe"1⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\wsus.exe"C:\Users\Admin\AppData\Local\Temp\wsus.exe"1⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\wsus.exe"C:\Users\Admin\AppData\Local\Temp\wsus.exe"1⤵PID:5032
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2172
-
C:\Users\Admin\AppData\Local\Temp\wsus.exe"C:\Users\Admin\AppData\Local\Temp\wsus.exe"1⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\wsus.exe"C:\Users\Admin\AppData\Local\Temp\wsus.exe"1⤵PID:2500