Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2023, 14:18
Behavioral task
behavioral1
Sample
3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe
-
Size
356KB
-
MD5
3cde62c0d1ef60c043ccf1fc3dba7a22
-
SHA1
c05cc6eca17c0dac2df50368b6e62f0fd3a80c8a
-
SHA256
224acb5f139a1ebf8add7f965c96b47c82e26f10a556e45361d0bc71308417ed
-
SHA512
61f5f55ebb671ea2e07158f516ced63c119008e52bf7498e6d0c132cfbca2f648220c4521d0fed0b422b75ef937aa9577bd4d5fa16b0eb79804d569ca2b82cd7
-
SSDEEP
6144:VuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qL0qEks3ih1XGWy:Y6Wq4aaE6KwyF5L0Y2D1PqL0qC3c2t
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2716 commander.exe 5004 commander.exe -
resource yara_rule behavioral2/memory/3496-0-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/3496-8-0x0000000000400000-0x00000000004BA000-memory.dmp upx -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3496-8-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\commander.exe 3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe File opened for modification C:\Windows\svhost.exe 3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3496 3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe 3496 3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 4224 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3496 wrote to memory of 2716 3496 3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe 86 PID 3496 wrote to memory of 2716 3496 3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe 86 PID 3496 wrote to memory of 2716 3496 3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe 86 PID 2716 wrote to memory of 4948 2716 commander.exe 88 PID 2716 wrote to memory of 4948 2716 commander.exe 88 PID 2716 wrote to memory of 4948 2716 commander.exe 88 PID 3496 wrote to memory of 5004 3496 3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe 89 PID 3496 wrote to memory of 5004 3496 3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe 89 PID 3496 wrote to memory of 5004 3496 3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe 89 PID 5004 wrote to memory of 4912 5004 commander.exe 91 PID 5004 wrote to memory of 4912 5004 commander.exe 91 PID 5004 wrote to memory of 4912 5004 commander.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe"C:\Users\Admin\AppData\Local\Temp\3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\commander.execommander.exe /C at 9:00 /interactive C:\Windows\svhost.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\at.exeat 9:00 /interactive C:\Windows\svhost.exe3⤵PID:4948
-
-
-
C:\Windows\SysWOW64\commander.execommander.exe /C schtasks /run /tn at12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /tn at13⤵PID:4912
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:832
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD5e6dabddee3cc5b3c84b2d60074f495fa
SHA10b2fa798a50b9301dbd4061fd8384b3cfecf44cd
SHA2566c605598a0b4e6e885ef8649fc98ee7c22663010f5012e6c74394adf1408d5be
SHA5120fb8220edef2d391115eb4defe2e67241f8b4ce76ecc3d2b3307d2761f578d1ce7e979132080bd7d5f462262cf9c38fd08cbf9bf6b26ff3b31109a26b3c3ea2c
-
Filesize
231KB
MD5e6dabddee3cc5b3c84b2d60074f495fa
SHA10b2fa798a50b9301dbd4061fd8384b3cfecf44cd
SHA2566c605598a0b4e6e885ef8649fc98ee7c22663010f5012e6c74394adf1408d5be
SHA5120fb8220edef2d391115eb4defe2e67241f8b4ce76ecc3d2b3307d2761f578d1ce7e979132080bd7d5f462262cf9c38fd08cbf9bf6b26ff3b31109a26b3c3ea2c