Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 07:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
BTSOU/BTSOU.exe
Resource
win7-20230831-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
BTSOU/BTSOU.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral3
Sample
BTSOU/Interop.ThunderAgentLib.dll
Resource
win7-20230831-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral4
Sample
BTSOU/Interop.ThunderAgentLib.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral5
Sample
BTSOU/MySql.Data.dll
Resource
win7-20230831-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral6
Sample
BTSOU/MySql.Data.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
BTSOU/BTSOU.exe
-
Size
828KB
-
MD5
ca17d9e5739b1caccf35d4669837364a
-
SHA1
77b77a3bea786df780fb4bca0217dc6004cc85e6
-
SHA256
fdae52dad1bf5af405db35d6b45411b6a70ff7e05f43df22f0d021edbafc8e5e
-
SHA512
336d7aab6dc0e89e5b33f378a08c73ec3e0d309339a43ff5a826c5799686996b806b3ca6744282cd940fda79acbf5df204350411db2e6827a798704737728b45
-
SSDEEP
12288:ZkQ9kWJRNmmquANVANgAy8R828R8SvH0:ZkMkEANVANL+D+L
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 812 BTSOU.exe Token: SeIncreaseQuotaPrivilege 2752 WMIC.exe Token: SeSecurityPrivilege 2752 WMIC.exe Token: SeTakeOwnershipPrivilege 2752 WMIC.exe Token: SeLoadDriverPrivilege 2752 WMIC.exe Token: SeSystemProfilePrivilege 2752 WMIC.exe Token: SeSystemtimePrivilege 2752 WMIC.exe Token: SeProfSingleProcessPrivilege 2752 WMIC.exe Token: SeIncBasePriorityPrivilege 2752 WMIC.exe Token: SeCreatePagefilePrivilege 2752 WMIC.exe Token: SeBackupPrivilege 2752 WMIC.exe Token: SeRestorePrivilege 2752 WMIC.exe Token: SeShutdownPrivilege 2752 WMIC.exe Token: SeDebugPrivilege 2752 WMIC.exe Token: SeSystemEnvironmentPrivilege 2752 WMIC.exe Token: SeRemoteShutdownPrivilege 2752 WMIC.exe Token: SeUndockPrivilege 2752 WMIC.exe Token: SeManageVolumePrivilege 2752 WMIC.exe Token: 33 2752 WMIC.exe Token: 34 2752 WMIC.exe Token: 35 2752 WMIC.exe Token: SeIncreaseQuotaPrivilege 2752 WMIC.exe Token: SeSecurityPrivilege 2752 WMIC.exe Token: SeTakeOwnershipPrivilege 2752 WMIC.exe Token: SeLoadDriverPrivilege 2752 WMIC.exe Token: SeSystemProfilePrivilege 2752 WMIC.exe Token: SeSystemtimePrivilege 2752 WMIC.exe Token: SeProfSingleProcessPrivilege 2752 WMIC.exe Token: SeIncBasePriorityPrivilege 2752 WMIC.exe Token: SeCreatePagefilePrivilege 2752 WMIC.exe Token: SeBackupPrivilege 2752 WMIC.exe Token: SeRestorePrivilege 2752 WMIC.exe Token: SeShutdownPrivilege 2752 WMIC.exe Token: SeDebugPrivilege 2752 WMIC.exe Token: SeSystemEnvironmentPrivilege 2752 WMIC.exe Token: SeRemoteShutdownPrivilege 2752 WMIC.exe Token: SeUndockPrivilege 2752 WMIC.exe Token: SeManageVolumePrivilege 2752 WMIC.exe Token: 33 2752 WMIC.exe Token: 34 2752 WMIC.exe Token: 35 2752 WMIC.exe Token: SeIncreaseQuotaPrivilege 2260 WMIC.exe Token: SeSecurityPrivilege 2260 WMIC.exe Token: SeTakeOwnershipPrivilege 2260 WMIC.exe Token: SeLoadDriverPrivilege 2260 WMIC.exe Token: SeSystemProfilePrivilege 2260 WMIC.exe Token: SeSystemtimePrivilege 2260 WMIC.exe Token: SeProfSingleProcessPrivilege 2260 WMIC.exe Token: SeIncBasePriorityPrivilege 2260 WMIC.exe Token: SeCreatePagefilePrivilege 2260 WMIC.exe Token: SeBackupPrivilege 2260 WMIC.exe Token: SeRestorePrivilege 2260 WMIC.exe Token: SeShutdownPrivilege 2260 WMIC.exe Token: SeDebugPrivilege 2260 WMIC.exe Token: SeSystemEnvironmentPrivilege 2260 WMIC.exe Token: SeRemoteShutdownPrivilege 2260 WMIC.exe Token: SeUndockPrivilege 2260 WMIC.exe Token: SeManageVolumePrivilege 2260 WMIC.exe Token: 33 2260 WMIC.exe Token: 34 2260 WMIC.exe Token: 35 2260 WMIC.exe Token: SeIncreaseQuotaPrivilege 2260 WMIC.exe Token: SeSecurityPrivilege 2260 WMIC.exe Token: SeTakeOwnershipPrivilege 2260 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 812 BTSOU.exe 812 BTSOU.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 812 wrote to memory of 2704 812 BTSOU.exe 28 PID 812 wrote to memory of 2704 812 BTSOU.exe 28 PID 812 wrote to memory of 2704 812 BTSOU.exe 28 PID 812 wrote to memory of 2704 812 BTSOU.exe 28 PID 2704 wrote to memory of 2752 2704 cmd.exe 30 PID 2704 wrote to memory of 2752 2704 cmd.exe 30 PID 2704 wrote to memory of 2752 2704 cmd.exe 30 PID 2704 wrote to memory of 2752 2704 cmd.exe 30 PID 812 wrote to memory of 2744 812 BTSOU.exe 32 PID 812 wrote to memory of 2744 812 BTSOU.exe 32 PID 812 wrote to memory of 2744 812 BTSOU.exe 32 PID 812 wrote to memory of 2744 812 BTSOU.exe 32 PID 2744 wrote to memory of 2260 2744 cmd.exe 34 PID 2744 wrote to memory of 2260 2744 cmd.exe 34 PID 2744 wrote to memory of 2260 2744 cmd.exe 34 PID 2744 wrote to memory of 2260 2744 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\BTSOU\BTSOU.exe"C:\Users\Admin\AppData\Local\Temp\BTSOU\BTSOU.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic diskdrive get SerialNumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get processorid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-