Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
21/10/2023, 13:33
Static task
static1
Behavioral task
behavioral1
Sample
8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe
Resource
win10v2004-20231020-en
General
-
Target
8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe
-
Size
3.0MB
-
MD5
5496ba70185c10bb395b791400c3c5ba
-
SHA1
5912d976cf18f19b88ae04b1d70c43aa4e281e85
-
SHA256
8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a
-
SHA512
b23bff96efdd33e26049946539d385676f6b9e1530459333100b0c27a47c524ffdcf37b5b92f9a61356f1f9db6e8fc64fa7f6a6560da4e228325b9e4a945579e
-
SSDEEP
49152:EPnmeM9KCmRxAfovAF6RKcMQqx+29uWV9D489/y:Unm99KCm3AAvAF6RKSu91PM+/y
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2728 NSUDOLC.exe -
Loads dropped DLL 1 IoCs
pid Process 2288 cmd.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2816 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2728 NSUDOLC.exe 2728 NSUDOLC.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1364 8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe Token: SeDebugPrivilege 2816 taskkill.exe Token: SeDebugPrivilege 2728 NSUDOLC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1364 8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe 1364 8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1364 wrote to memory of 2288 1364 8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe 28 PID 1364 wrote to memory of 2288 1364 8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe 28 PID 1364 wrote to memory of 2288 1364 8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe 28 PID 1364 wrote to memory of 2288 1364 8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe 28 PID 2288 wrote to memory of 2816 2288 cmd.exe 30 PID 2288 wrote to memory of 2816 2288 cmd.exe 30 PID 2288 wrote to memory of 2816 2288 cmd.exe 30 PID 2288 wrote to memory of 2816 2288 cmd.exe 30 PID 2288 wrote to memory of 2728 2288 cmd.exe 32 PID 2288 wrote to memory of 2728 2288 cmd.exe 32 PID 2288 wrote to memory of 2728 2288 cmd.exe 32 PID 2288 wrote to memory of 2728 2288 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe"C:\Users\Admin\AppData\Local\Temp\8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\temp.bat2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /PID 13643⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Users\Admin\AppData\Local\Temp\NSUDOLC.exeNSUDOLC /U:S /P:E C:\Users\Admin\AppData\Local\Temp\8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD50ac3e9d59309f599403ac51615bfe41b
SHA19041c5562558cb58ac98bd18de3c0ce370a59e1f
SHA2566d5e116c2af78b5585602d91bca3a436a0350630fc7c08412c0cafe55199547c
SHA512e5de92202f4d3ecaff8bd65c99cbbc98c2deaafafe1620be7169d0fed467bfa11ce727fa78f686166758ee3df0b040a2643dbd5a46ee74cc679e647ebdad6910
-
Filesize
145B
MD5456fc376b3db3d0695119568a01c50c8
SHA1fbbefccc870cb0887ad36933a32ed0410d13ca9b
SHA256912ecdee1a162ef8f81f9ea27ab55fbf2ae290940c5ecec8ac0fbdd9aa53a359
SHA512582ecb4c8b916cc8b18ac5e791bc9a3df9332dab9973137f39932d5c73c072dd7e3504e44ca4a8cfdede6e2cf8ed8aa12352421d4ded3c455ba9357185283623
-
Filesize
145B
MD5456fc376b3db3d0695119568a01c50c8
SHA1fbbefccc870cb0887ad36933a32ed0410d13ca9b
SHA256912ecdee1a162ef8f81f9ea27ab55fbf2ae290940c5ecec8ac0fbdd9aa53a359
SHA512582ecb4c8b916cc8b18ac5e791bc9a3df9332dab9973137f39932d5c73c072dd7e3504e44ca4a8cfdede6e2cf8ed8aa12352421d4ded3c455ba9357185283623
-
Filesize
99KB
MD50ac3e9d59309f599403ac51615bfe41b
SHA19041c5562558cb58ac98bd18de3c0ce370a59e1f
SHA2566d5e116c2af78b5585602d91bca3a436a0350630fc7c08412c0cafe55199547c
SHA512e5de92202f4d3ecaff8bd65c99cbbc98c2deaafafe1620be7169d0fed467bfa11ce727fa78f686166758ee3df0b040a2643dbd5a46ee74cc679e647ebdad6910