Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
131s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
01/10/2023, 08:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
adde0fe197cbcf5a861e20c85e38b825e769896a256a08995f79a1ed8e9f8341.exe
Resource
win10-20230915-en
4 signatures
150 seconds
General
-
Target
adde0fe197cbcf5a861e20c85e38b825e769896a256a08995f79a1ed8e9f8341.exe
-
Size
255KB
-
MD5
8dfade55087b4f6c8fe6d0f42d3877ba
-
SHA1
207413c66136fb0c19bf6c4c66714e07627d9eb1
-
SHA256
adde0fe197cbcf5a861e20c85e38b825e769896a256a08995f79a1ed8e9f8341
-
SHA512
5cc857a948a83397f13b8ef274420569fcdb5b1f92be08efa54a4a68220cd305896331da54c8fe2bbc7d808950b5d523be4749bc9fa35db095feeb5c9a7fdf94
-
SSDEEP
3072:tNu8Yv1D41ClAAaQ4reOVoPugLrkvjtGQyXg/2hWscLp0rBEd6l5/pwMUn3Y:TMoCJ4Do6jwYsQpmBRuM
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 4664 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4664 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5080 wrote to memory of 2520 5080 adde0fe197cbcf5a861e20c85e38b825e769896a256a08995f79a1ed8e9f8341.exe 70 PID 5080 wrote to memory of 2520 5080 adde0fe197cbcf5a861e20c85e38b825e769896a256a08995f79a1ed8e9f8341.exe 70 PID 5080 wrote to memory of 2520 5080 adde0fe197cbcf5a861e20c85e38b825e769896a256a08995f79a1ed8e9f8341.exe 70 PID 2520 wrote to memory of 4664 2520 cmd.exe 72 PID 2520 wrote to memory of 4664 2520 cmd.exe 72 PID 2520 wrote to memory of 4664 2520 cmd.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\adde0fe197cbcf5a861e20c85e38b825e769896a256a08995f79a1ed8e9f8341.exe"C:\Users\Admin\AppData\Local\Temp\adde0fe197cbcf5a861e20c85e38b825e769896a256a08995f79a1ed8e9f8341.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "adde0fe197cbcf5a861e20c85e38b825e769896a256a08995f79a1ed8e9f8341.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\adde0fe197cbcf5a861e20c85e38b825e769896a256a08995f79a1ed8e9f8341.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "adde0fe197cbcf5a861e20c85e38b825e769896a256a08995f79a1ed8e9f8341.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-