Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
24s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
13/11/2023, 06:45
Static task
static1
Behavioral task
behavioral1
Sample
c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe
Resource
win10v2004-20231020-en
General
-
Target
c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe
-
Size
672KB
-
MD5
f4af353df9f8807bd5759f356683dab8
-
SHA1
0eac161c47fa4f0ff21a75e5bb4c620ba366301f
-
SHA256
c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2
-
SHA512
167d9381fdfbeac9c353905a97759410c66d15fbec70a9d367f7062966e9fde41d2a55fe5c7f677f08f85bec6c429eefcade5c726db907be47759dc3d78c8ba5
-
SSDEEP
12288:qlP0GkLH5t5i0AL5jQcL+gdD2toUyEt+:quGkj57i0w5M2xdit7bt
Malware Config
Signatures
-
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\AUTOINIT\init.lock c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe -
Runs net.exe
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4708 c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe 4708 c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4708 wrote to memory of 3532 4708 c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe 89 PID 4708 wrote to memory of 3532 4708 c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe 89 PID 4708 wrote to memory of 3532 4708 c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe 89 PID 4708 wrote to memory of 792 4708 c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe 90 PID 4708 wrote to memory of 792 4708 c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe 90 PID 4708 wrote to memory of 792 4708 c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe 90 PID 4708 wrote to memory of 1632 4708 c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe 91 PID 4708 wrote to memory of 1632 4708 c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe 91 PID 4708 wrote to memory of 1632 4708 c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe 91 PID 4708 wrote to memory of 3488 4708 c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe 92 PID 4708 wrote to memory of 3488 4708 c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe 92 PID 4708 wrote to memory of 3488 4708 c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe"C:\Users\Admin\AppData\Local\Temp\c465c6f44635b7e417377e39fc80c2b731a0327df8ccc09a0b9dfba675f087c2.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\netsh.exenetsh interface ip set address "Ethernet" static 0.0.0.0 255.255.0.0 0.0.0.02⤵PID:3532
-
-
C:\Windows\SysWOW64\netsh.exenetsh interface ip set dns "Ethernet" static 223.5.5.5 primary2⤵PID:792
-
-
C:\Windows\SysWOW64\netsh.exenetsh interface ip add dns name="Ethernet" 8.8.8.8 index=22⤵PID:1632
-
-
C:\Windows\SysWOW64\net.exenet user administrator Aa1122332⤵PID:3488
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user administrator Aa1122333⤵PID:4300
-
-