Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2023, 13:33
Static task
static1
Behavioral task
behavioral1
Sample
8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe
Resource
win10v2004-20231020-en
General
-
Target
8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe
-
Size
3.0MB
-
MD5
5496ba70185c10bb395b791400c3c5ba
-
SHA1
5912d976cf18f19b88ae04b1d70c43aa4e281e85
-
SHA256
8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a
-
SHA512
b23bff96efdd33e26049946539d385676f6b9e1530459333100b0c27a47c524ffdcf37b5b92f9a61356f1f9db6e8fc64fa7f6a6560da4e228325b9e4a945579e
-
SSDEEP
49152:EPnmeM9KCmRxAfovAF6RKcMQqx+29uWV9D489/y:Unm99KCm3AAvAF6RKSu91PM+/y
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4092 NSUDOLC.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2564 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4092 NSUDOLC.exe 4092 NSUDOLC.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4412 8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe Token: SeDebugPrivilege 2564 taskkill.exe Token: SeDebugPrivilege 4092 NSUDOLC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4412 8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe 4412 8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4412 wrote to memory of 3476 4412 8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe 86 PID 4412 wrote to memory of 3476 4412 8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe 86 PID 4412 wrote to memory of 3476 4412 8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe 86 PID 3476 wrote to memory of 2564 3476 cmd.exe 89 PID 3476 wrote to memory of 2564 3476 cmd.exe 89 PID 3476 wrote to memory of 2564 3476 cmd.exe 89 PID 3476 wrote to memory of 4092 3476 cmd.exe 93 PID 3476 wrote to memory of 4092 3476 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe"C:\Users\Admin\AppData\Local\Temp\8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /PID 44123⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\NSUDOLC.exeNSUDOLC /U:S /P:E C:\Users\Admin\AppData\Local\Temp\8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD50ac3e9d59309f599403ac51615bfe41b
SHA19041c5562558cb58ac98bd18de3c0ce370a59e1f
SHA2566d5e116c2af78b5585602d91bca3a436a0350630fc7c08412c0cafe55199547c
SHA512e5de92202f4d3ecaff8bd65c99cbbc98c2deaafafe1620be7169d0fed467bfa11ce727fa78f686166758ee3df0b040a2643dbd5a46ee74cc679e647ebdad6910
-
Filesize
145B
MD5747232dbd6cc8d17a6300e7f3f57e9d2
SHA193e33e22496af593d4b3622c6d363c9a830d18bf
SHA2560a8b6af2f64876c51b5e47f11a7524d3ca535060e3e4330c536d6a7912135457
SHA512d3c7a65377354471944e6346de483a69a1b35fbcb10ece5f2a209626b6b3e0ed5b518a770e9f8b13ba67c8e1a539fcac13ec85ea8e21f76c5122344501e3376e