Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2023, 13:33

General

  • Target

    8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe

  • Size

    3.0MB

  • MD5

    5496ba70185c10bb395b791400c3c5ba

  • SHA1

    5912d976cf18f19b88ae04b1d70c43aa4e281e85

  • SHA256

    8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a

  • SHA512

    b23bff96efdd33e26049946539d385676f6b9e1530459333100b0c27a47c524ffdcf37b5b92f9a61356f1f9db6e8fc64fa7f6a6560da4e228325b9e4a945579e

  • SSDEEP

    49152:EPnmeM9KCmRxAfovAF6RKcMQqx+29uWV9D489/y:Unm99KCm3AAvAF6RKSu91PM+/y

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe
    "C:\Users\Admin\AppData\Local\Temp\8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3476
      • C:\Windows\SysWOW64\taskkill.exe
        TASKKILL /F /PID 4412
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
      • C:\Users\Admin\AppData\Local\Temp\NSUDOLC.exe
        NSUDOLC /U:S /P:E C:\Users\Admin\AppData\Local\Temp\8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NSUDOLC.exe

    Filesize

    99KB

    MD5

    0ac3e9d59309f599403ac51615bfe41b

    SHA1

    9041c5562558cb58ac98bd18de3c0ce370a59e1f

    SHA256

    6d5e116c2af78b5585602d91bca3a436a0350630fc7c08412c0cafe55199547c

    SHA512

    e5de92202f4d3ecaff8bd65c99cbbc98c2deaafafe1620be7169d0fed467bfa11ce727fa78f686166758ee3df0b040a2643dbd5a46ee74cc679e647ebdad6910

  • C:\Users\Admin\AppData\Local\Temp\temp.bat

    Filesize

    145B

    MD5

    747232dbd6cc8d17a6300e7f3f57e9d2

    SHA1

    93e33e22496af593d4b3622c6d363c9a830d18bf

    SHA256

    0a8b6af2f64876c51b5e47f11a7524d3ca535060e3e4330c536d6a7912135457

    SHA512

    d3c7a65377354471944e6346de483a69a1b35fbcb10ece5f2a209626b6b3e0ed5b518a770e9f8b13ba67c8e1a539fcac13ec85ea8e21f76c5122344501e3376e