Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
7s -
max time network
8s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
01/08/2023, 23:25
Static task
static1
Behavioral task
behavioral1
Sample
37ccff7149eff8c0241ba7c76202f48745f64df0f56f3aa5610e92735a14e271.exe
Resource
win10v2004-20230703-en
General
-
Target
37ccff7149eff8c0241ba7c76202f48745f64df0f56f3aa5610e92735a14e271.exe
-
Size
1.4MB
-
MD5
9c966cde636c37444467a2e5f11d651d
-
SHA1
2cb508dc8ac3333803cd4a0c7617a92cf5f89ae1
-
SHA256
37ccff7149eff8c0241ba7c76202f48745f64df0f56f3aa5610e92735a14e271
-
SHA512
80b76e7603bb95795065f83ae02f30ea70f8cce31c97758d85871f24a3d32f0f88dc4ced51f1ffff02beefc42e23b155656439c020f559e311b31b0648b44097
-
SSDEEP
24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk
Malware Config
Signatures
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4948 powershell.exe 4948 powershell.exe 1328 powershell.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 900 WMIC.exe Token: SeSecurityPrivilege 900 WMIC.exe Token: SeTakeOwnershipPrivilege 900 WMIC.exe Token: SeLoadDriverPrivilege 900 WMIC.exe Token: SeSystemProfilePrivilege 900 WMIC.exe Token: SeSystemtimePrivilege 900 WMIC.exe Token: SeProfSingleProcessPrivilege 900 WMIC.exe Token: SeIncBasePriorityPrivilege 900 WMIC.exe Token: SeCreatePagefilePrivilege 900 WMIC.exe Token: SeBackupPrivilege 900 WMIC.exe Token: SeRestorePrivilege 900 WMIC.exe Token: SeShutdownPrivilege 900 WMIC.exe Token: SeDebugPrivilege 900 WMIC.exe Token: SeSystemEnvironmentPrivilege 900 WMIC.exe Token: SeRemoteShutdownPrivilege 900 WMIC.exe Token: SeUndockPrivilege 900 WMIC.exe Token: SeManageVolumePrivilege 900 WMIC.exe Token: 33 900 WMIC.exe Token: 34 900 WMIC.exe Token: 35 900 WMIC.exe Token: 36 900 WMIC.exe Token: SeIncreaseQuotaPrivilege 900 WMIC.exe Token: SeSecurityPrivilege 900 WMIC.exe Token: SeTakeOwnershipPrivilege 900 WMIC.exe Token: SeLoadDriverPrivilege 900 WMIC.exe Token: SeSystemProfilePrivilege 900 WMIC.exe Token: SeSystemtimePrivilege 900 WMIC.exe Token: SeProfSingleProcessPrivilege 900 WMIC.exe Token: SeIncBasePriorityPrivilege 900 WMIC.exe Token: SeCreatePagefilePrivilege 900 WMIC.exe Token: SeBackupPrivilege 900 WMIC.exe Token: SeRestorePrivilege 900 WMIC.exe Token: SeShutdownPrivilege 900 WMIC.exe Token: SeDebugPrivilege 900 WMIC.exe Token: SeSystemEnvironmentPrivilege 900 WMIC.exe Token: SeRemoteShutdownPrivilege 900 WMIC.exe Token: SeUndockPrivilege 900 WMIC.exe Token: SeManageVolumePrivilege 900 WMIC.exe Token: 33 900 WMIC.exe Token: 34 900 WMIC.exe Token: 35 900 WMIC.exe Token: 36 900 WMIC.exe Token: SeDebugPrivilege 4948 powershell.exe Token: SeDebugPrivilege 1328 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1136 wrote to memory of 808 1136 37ccff7149eff8c0241ba7c76202f48745f64df0f56f3aa5610e92735a14e271.exe 86 PID 1136 wrote to memory of 808 1136 37ccff7149eff8c0241ba7c76202f48745f64df0f56f3aa5610e92735a14e271.exe 86 PID 1136 wrote to memory of 808 1136 37ccff7149eff8c0241ba7c76202f48745f64df0f56f3aa5610e92735a14e271.exe 86 PID 808 wrote to memory of 5044 808 cmd.exe 89 PID 808 wrote to memory of 5044 808 cmd.exe 89 PID 808 wrote to memory of 5044 808 cmd.exe 89 PID 5044 wrote to memory of 2076 5044 cmd.exe 90 PID 5044 wrote to memory of 2076 5044 cmd.exe 90 PID 5044 wrote to memory of 2076 5044 cmd.exe 90 PID 808 wrote to memory of 4576 808 cmd.exe 91 PID 808 wrote to memory of 4576 808 cmd.exe 91 PID 808 wrote to memory of 4576 808 cmd.exe 91 PID 4576 wrote to memory of 900 4576 cmd.exe 92 PID 4576 wrote to memory of 900 4576 cmd.exe 92 PID 4576 wrote to memory of 900 4576 cmd.exe 92 PID 808 wrote to memory of 4948 808 cmd.exe 94 PID 808 wrote to memory of 4948 808 cmd.exe 94 PID 808 wrote to memory of 4948 808 cmd.exe 94 PID 808 wrote to memory of 1328 808 cmd.exe 98 PID 808 wrote to memory of 1328 808 cmd.exe 98 PID 808 wrote to memory of 1328 808 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\37ccff7149eff8c0241ba7c76202f48745f64df0f56f3aa5610e92735a14e271.exe"C:\Users\Admin\AppData\Local\Temp\37ccff7149eff8c0241ba7c76202f48745f64df0f56f3aa5610e92735a14e271.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com3⤵
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com4⤵PID:2076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain3⤵
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get Domain4⤵
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4948
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'3⤵PID:880
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'3⤵PID:3844
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵PID:1240
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
Filesize
11KB
MD514e7e00dc2f0c42d2d79431c8e6c8fe5
SHA12530b8585b26ec8fd0c868da198d43c642cadbde
SHA256672716a315c183a6a847c65bfc2bb8f6dd650216081d811107c03c3380cb7162
SHA5120b52c985744c28f205954ec11a6353b2c0e6df877a2bbbad205110bfefc6877b4c3296660d7d0c44475233f8d1c5febf8c08d8d11d0c0041c126022a083813ce
-
Filesize
11KB
MD593d4d79ae669c36589721171ae4bb535
SHA1002aa120be3baf2e8312eccd7ad48680bed2be96
SHA2564bb3374302148eccf1b4a20dd862a71aea23d8ff8fc283269420d6a6a5ddc2e5
SHA512dea241521f09f302de82bb046a14b8e24a207fc01f22592d5d0b29b331537dd535cf97e02b7cca992f0cdd66e560ccedcbf7a75bdc5a0ec992d9bc8963dd8879
-
Filesize
11KB
MD5f66c19d2dbc4ef9fbb0f371b9cfccf95
SHA1348a8ace65c2a896d665ef28d96f442a041aacc4
SHA2563f0cd8e4a0536391b84f28a8f758cedf1df7c58f1a9a0e4fb228fdfcb905bc19
SHA512a1422693247ffe9ae2b6e51f9d45bb05e6f8970636cf0ebb755829650152c3a08c5c8ad8ba199e1d2b10c09c1409b7175716d2514c1f333d69444ed44c31947c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD57ea1fec84d76294d9256ae3dca7676b2
SHA11e335451d1cbb6951bc77bf75430f4d983491342
SHA2569a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940
SHA512ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317