Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2023, 10:32
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230220-en
General
-
Target
tmp.exe
-
Size
652KB
-
MD5
31549917cdc6e3f9d40a48ea5998493f
-
SHA1
c0f7e826645b1ba2ba1fed866992beb9de7a31df
-
SHA256
73f03b369e9df60c2dc97baefcdc4ba920da3a2126c873a4654e1a83510d3b87
-
SHA512
709737c36ef4fe96e99dcac210854a760cbbcff7af428620a0a83f16a5db09af4dbe2b52ccd4cff08fe0d5d4e544ddd9474c7c45005938a32705960c3581dad1
-
SSDEEP
12288:pC6wyk1nvfBP0FQoOd/566f81qjbravk7o3xLWAB8TMfo+aqwFtaif8dHOqPNspj:pC6wp1vfhboOb66Uyavk8hdo+g8BOONu
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4628-133-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/4628-136-0x0000000000400000-0x00000000005AC000-memory.dmp upx behavioral2/memory/4628-140-0x0000000000400000-0x00000000005AC000-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 tmp.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName tmp.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe 4628 tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4628 tmp.exe Token: SeIncBasePriorityPrivilege 4628 tmp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4628 tmp.exe 4628 tmp.exe