Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2023, 19:48
Static task
static1
Behavioral task
behavioral1
Sample
d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe
Resource
win7-20230824-en
Behavioral task
behavioral2
Sample
d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe
Resource
win10v2004-20230703-en
General
-
Target
d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe
-
Size
198KB
-
MD5
a08860306f327bb3bc7288ee5ab8db13
-
SHA1
2dee4a68034743b94370a66af2bc8c67179582ad
-
SHA256
d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5
-
SHA512
4ea26012b30307763c68a44bbee94938bb73bf4844e92eceb00459fe1ca1b9ac21978caabcf9d195586fdc3136cfc84b6813e204afff552a44bb2ed5e0716c15
-
SSDEEP
6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCO6:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXL
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1504 akmhost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Debug\akmhost.exe d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe File created C:\Windows\Debug\akmhost.exe d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1988 d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1988 wrote to memory of 1592 1988 d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe 82 PID 1988 wrote to memory of 1592 1988 d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe 82 PID 1988 wrote to memory of 1592 1988 d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe"C:\Users\Admin\AppData\Local\Temp\d8b48498a6bab4c9c59ee9f485669f82996ce1664c317fdb2d371cad9c26a9f5.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\D8B484~1.EXE > nul2⤵PID:1592
-
-
C:\Windows\Debug\akmhost.exeC:\Windows\Debug\akmhost.exe1⤵
- Executes dropped EXE
PID:1504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
198KB
MD5190b8f206c1c45c7b0088a05672c7b1f
SHA1de05bcb733fa586e4873a2e139e56922946c4c4a
SHA256e21ecf73252b043f46856327dfe199b80af99eab6fce3a2a6ea3b4cf486148ea
SHA5121abf84149bc6f7b810e9f898e6149603b6fd97333967932ff1e18f7f8a03605fefb24e80f686b0d61de2c102d784b5d2d3cef497fc9ed5f8e6a986b08e287a07
-
Filesize
198KB
MD5190b8f206c1c45c7b0088a05672c7b1f
SHA1de05bcb733fa586e4873a2e139e56922946c4c4a
SHA256e21ecf73252b043f46856327dfe199b80af99eab6fce3a2a6ea3b4cf486148ea
SHA5121abf84149bc6f7b810e9f898e6149603b6fd97333967932ff1e18f7f8a03605fefb24e80f686b0d61de2c102d784b5d2d3cef497fc9ed5f8e6a986b08e287a07