Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
17/07/2023, 16:41
230717-t7cw8aec3x 713/07/2023, 10:00
230713-l1nq5shb4s 712/07/2023, 15:27
230712-svrzyaeg9s 7Analysis
-
max time kernel
1800s -
max time network
1612s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
17/07/2023, 16:41
Static task
static1
Behavioral task
behavioral1
Sample
e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe
Resource
win10-20230703-en
General
-
Target
e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe
-
Size
22KB
-
MD5
d31a84e598ec295a556dcfc5d5275816
-
SHA1
0c8b18547df5dea26284621c332c1a6c79a7fa5d
-
SHA256
e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a
-
SHA512
4b782f6d5a15f5bc2e0445009778317352d0c1df1c90fa243b580559d4ad1330c0baf5c4ec51d63b22af2fe59c5b1136293d8f6bdebdd67830f8a0f10a76d0b0
-
SSDEEP
384:3pDiz0KwG26bMJhCFP/jYjaWU4MakAUHJTKGOo2x+PgwgB0VDGXnxPveC5jx2qZ2:3Jv2lY+WyDAUHFyjxOglQcxP842r
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2956 csrss.exe -
Executes dropped EXE 1 IoCs
pid Process 2956 csrss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Windows\\csrss.exe" e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\csrss.exe e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe File opened for modification C:\Windows\csrss.exe e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 192 e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe 192 e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe 192 e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe 192 e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe 192 e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe 192 e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe 192 e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe 192 e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe 192 e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe 192 e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe 192 e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe 192 e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe 2956 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 192 e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe Token: SeDebugPrivilege 2956 csrss.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 192 wrote to memory of 2956 192 e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe 72 PID 192 wrote to memory of 2956 192 e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe 72 PID 192 wrote to memory of 2956 192 e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe"C:\Users\Admin\AppData\Local\Temp\e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:192 -
C:\Windows\csrss.exeC:\Windows\csrss.exe C:\Users\Admin\AppData\Local\Temp\e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a.bin.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD5d31a84e598ec295a556dcfc5d5275816
SHA10c8b18547df5dea26284621c332c1a6c79a7fa5d
SHA256e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a
SHA5124b782f6d5a15f5bc2e0445009778317352d0c1df1c90fa243b580559d4ad1330c0baf5c4ec51d63b22af2fe59c5b1136293d8f6bdebdd67830f8a0f10a76d0b0
-
Filesize
22KB
MD5d31a84e598ec295a556dcfc5d5275816
SHA10c8b18547df5dea26284621c332c1a6c79a7fa5d
SHA256e2458363b08a92790b60e377548744390f48b3cc8b8f782187a3c7a831af207a
SHA5124b782f6d5a15f5bc2e0445009778317352d0c1df1c90fa243b580559d4ad1330c0baf5c4ec51d63b22af2fe59c5b1136293d8f6bdebdd67830f8a0f10a76d0b0