Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 23:02
Behavioral task
behavioral1
Sample
82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe
Resource
win10v2004-20230915-en
General
-
Target
82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe
-
Size
3.8MB
-
MD5
265f98db992f18287d3c497ee8e3c1fe
-
SHA1
df10dbf89e1deb45315c643f2ae055a2b90195a8
-
SHA256
82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b
-
SHA512
f359c8635c352666762103f816f1f1af022ac681687423eea33600bcffdf5d803418234a8ad2377b991f5a18457e3f99a3e50f1115eac0f5c301e0588dd433d1
-
SSDEEP
49152:kz+XPwh11sXIAyT9tN93qs5SkP2lS1mdM03aT1Po3Xa+kINX7:k2Ps1sByTJ5SQrWM03o12a+kINr
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2520 cmd.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2560 icacls.exe -
resource yara_rule behavioral1/memory/2892-0-0x0000000000D60000-0x0000000000DF7000-memory.dmp upx behavioral1/memory/2892-31-0x0000000000D60000-0x0000000000DF7000-memory.dmp upx behavioral1/memory/2892-34-0x0000000000D60000-0x0000000000DF7000-memory.dmp upx behavioral1/memory/2892-36-0x0000000000D60000-0x0000000000DF7000-memory.dmp upx -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\WindowsShell7264605.log 82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe File opened for modification C:\Windows\WindowSystemNewUpdate448.log rasautou.exe File opened for modification C:\Windows\WindowsShell2226.log rasautou.exe File opened for modification C:\Windows\WindowTerminalVaild874.log rasautou.exe File opened for modification C:\Windows\WindowMicrosoftNET53.log rasautou.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2300 1320 WerFault.exe 36 -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe 2368 rasautou.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2892 82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe Token: SeDebugPrivilege 2368 rasautou.exe Token: SeIncBasePriorityPrivilege 2892 82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe Token: SeDebugPrivilege 2368 rasautou.exe Token: SeDebugPrivilege 2368 rasautou.exe Token: SeDebugPrivilege 2368 rasautou.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2368 2892 82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe 28 PID 2892 wrote to memory of 2368 2892 82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe 28 PID 2892 wrote to memory of 2368 2892 82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe 28 PID 2892 wrote to memory of 2368 2892 82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe 28 PID 2892 wrote to memory of 2368 2892 82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe 28 PID 2892 wrote to memory of 2368 2892 82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe 28 PID 2892 wrote to memory of 2368 2892 82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe 28 PID 2892 wrote to memory of 2520 2892 82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe 30 PID 2892 wrote to memory of 2520 2892 82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe 30 PID 2892 wrote to memory of 2520 2892 82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe 30 PID 2892 wrote to memory of 2520 2892 82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe 30 PID 2368 wrote to memory of 2560 2368 rasautou.exe 34 PID 2368 wrote to memory of 2560 2368 rasautou.exe 34 PID 2368 wrote to memory of 2560 2368 rasautou.exe 34 PID 2368 wrote to memory of 2560 2368 rasautou.exe 34 PID 2368 wrote to memory of 2560 2368 rasautou.exe 34 PID 2368 wrote to memory of 2560 2368 rasautou.exe 34 PID 2368 wrote to memory of 2560 2368 rasautou.exe 34 PID 2560 wrote to memory of 1320 2560 icacls.exe 36 PID 2560 wrote to memory of 1320 2560 icacls.exe 36 PID 2560 wrote to memory of 1320 2560 icacls.exe 36 PID 2560 wrote to memory of 1320 2560 icacls.exe 36 PID 2368 wrote to memory of 1320 2368 rasautou.exe 36 PID 2368 wrote to memory of 1320 2368 rasautou.exe 36 PID 2368 wrote to memory of 1320 2368 rasautou.exe 36 PID 1320 wrote to memory of 2300 1320 fontview.exe 37 PID 1320 wrote to memory of 2300 1320 fontview.exe 37 PID 1320 wrote to memory of 2300 1320 fontview.exe 37 PID 1320 wrote to memory of 2300 1320 fontview.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe"C:\Users\Admin\AppData\Local\Temp\82ab9d37986ad4b195bcd03eb2bd6e53b731dd65ac4a2a936f70e42db72a3e8b.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\rasautou.exe"C:\Windows\SysWOW64\rasautou.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\icacls.exe"C:\Windows\SysWOW64\icacls.exe"3⤵
- Modifies file permissions
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SysWOW64\fontview.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 1845⤵
- Program crash
PID:2300
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\82AB9D~1.EXE > nul2⤵
- Deletes itself
PID:2520
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD57fa734057f8f282e608829de32be11fc
SHA1d557333840834f94ee2173c3244796cfe481c81b
SHA2562c02db87843789ddfcdca0f787ec178530b1ad0b098a342d946a3a6ef11da990
SHA5126d665c647f3bee6f5f130f1eebd4a6a9fe92befa7884d96855f7b2c25b3d2d0d2e67693af189b4da085317ae5d67c102aa5d99b6327c364dd394afeef7d0de41