Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2023, 13:47
Behavioral task
behavioral1
Sample
02270099.exe
Resource
win7-20230220-en
7 signatures
150 seconds
General
-
Target
02270099.exe
-
Size
65KB
-
MD5
176b6e4649ccebe0f73d40146d0b7fa1
-
SHA1
4941b675ed6aae118932f8ced2b1db3f52a6eab3
-
SHA256
47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d
-
SHA512
ac1b8b695c9c0b3afebf4b7277b638b1317399c2dc910b2cd26ae9e548dc684974ede9f3e14268dfda3ce901ee23ac74663a06386e403a652cca070ed557f78a
-
SSDEEP
1536:1E1SjujsC8XANkPZgJkM8Ydwqo0fdWoz5I9lKcfc6hxRGS+w:mLjsXANkR/fkfdWolI9AiDZ
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE batteryasptlb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies batteryasptlb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 batteryasptlb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 batteryasptlb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix batteryasptlb.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" batteryasptlb.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" batteryasptlb.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 5116 batteryasptlb.exe 5116 batteryasptlb.exe 5116 batteryasptlb.exe 5116 batteryasptlb.exe 5116 batteryasptlb.exe 5116 batteryasptlb.exe 5116 batteryasptlb.exe 5116 batteryasptlb.exe 5116 batteryasptlb.exe 5116 batteryasptlb.exe 5116 batteryasptlb.exe 5116 batteryasptlb.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2296 02270099.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4084 wrote to memory of 2296 4084 02270099.exe 84 PID 4084 wrote to memory of 2296 4084 02270099.exe 84 PID 4084 wrote to memory of 2296 4084 02270099.exe 84 PID 856 wrote to memory of 5116 856 batteryasptlb.exe 86 PID 856 wrote to memory of 5116 856 batteryasptlb.exe 86 PID 856 wrote to memory of 5116 856 batteryasptlb.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\02270099.exe"C:\Users\Admin\AppData\Local\Temp\02270099.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\02270099.exe--7bdb350b2⤵
- Suspicious behavior: RenamesItself
PID:2296
-
-
C:\Windows\SysWOW64\batteryasptlb.exe"C:\Windows\SysWOW64\batteryasptlb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\batteryasptlb.exe--2bc5662f2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5116
-