Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2023, 16:52
Static task
static1
Behavioral task
behavioral1
Sample
b3d19d65687560f5c206d0338b7d6601.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
b3d19d65687560f5c206d0338b7d6601.exe
Resource
win10v2004-20230703-en
General
-
Target
b3d19d65687560f5c206d0338b7d6601.exe
-
Size
1.8MB
-
MD5
b3d19d65687560f5c206d0338b7d6601
-
SHA1
7dc6e5681c33800c6543ecb148d4718e33138ee9
-
SHA256
05c4f71a5caa0ed6809fdfa57b44836f5ee6408d73f6b97cd9a751b696091101
-
SHA512
a08abdf2d73de01eabb72d9af096c3f6159861d376f4790837fb6e95ef50d81455279ce4e04cc39ff6d75a20d769c12123f958971e492fb3197d85120b36e6ee
-
SSDEEP
24576:osFKs/vvt1MSC/GoWvyMcUH81mVjIZ/WimspSM8rta7yLp08TM8nch2Cy7v4P+7M:osFKGbNoy9x0VpFm1ZE7yFsC9CiFb6h
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5076 InnerException.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4328 powershell.exe 4328 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2904 b3d19d65687560f5c206d0338b7d6601.exe Token: SeDebugPrivilege 2904 b3d19d65687560f5c206d0338b7d6601.exe Token: SeDebugPrivilege 4328 powershell.exe Token: SeDebugPrivilege 5076 InnerException.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3d19d65687560f5c206d0338b7d6601.exe"C:\Users\Admin\AppData\Local\Temp\b3d19d65687560f5c206d0338b7d6601.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
C:\Users\Admin\AppData\Roaming\Item1\InnerException.exeC:\Users\Admin\AppData\Roaming\Item1\InnerException.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD5b3d19d65687560f5c206d0338b7d6601
SHA17dc6e5681c33800c6543ecb148d4718e33138ee9
SHA25605c4f71a5caa0ed6809fdfa57b44836f5ee6408d73f6b97cd9a751b696091101
SHA512a08abdf2d73de01eabb72d9af096c3f6159861d376f4790837fb6e95ef50d81455279ce4e04cc39ff6d75a20d769c12123f958971e492fb3197d85120b36e6ee
-
Filesize
1.8MB
MD5b3d19d65687560f5c206d0338b7d6601
SHA17dc6e5681c33800c6543ecb148d4718e33138ee9
SHA25605c4f71a5caa0ed6809fdfa57b44836f5ee6408d73f6b97cd9a751b696091101
SHA512a08abdf2d73de01eabb72d9af096c3f6159861d376f4790837fb6e95ef50d81455279ce4e04cc39ff6d75a20d769c12123f958971e492fb3197d85120b36e6ee