Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
15/11/2023, 11:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2066.exe
Resource
win7-20231023-en
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
2066.exe
Resource
win10v2004-20231023-en
5 signatures
150 seconds
General
-
Target
2066.exe
-
Size
6KB
-
MD5
176a511e7c6c2ec0e168019afe1b9485
-
SHA1
4f936e4059f9d63780c4aca11533f9f1184b779b
-
SHA256
8da16afca85c8723cf67087b40e1279d6eb6ed3cf07b68ac10555c1fb2b83f46
-
SHA512
3c47e43b29deb74e8ec9716f6a54332a335f3a0459f067cbcd02a86cf5ced0592f93597a90718b4afbed709c4fec6a8333e1751827bbcd04b74f817239f806bf
-
SSDEEP
96:B7wpoTbuNXdvZrlyScMrTItmunudma60m:GmbWdhASFTITeE
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 4616 dw20.exe Token: SeBackupPrivilege 4616 dw20.exe Token: SeBackupPrivilege 4616 dw20.exe Token: SeBackupPrivilege 4616 dw20.exe Token: SeBackupPrivilege 4616 dw20.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4292 wrote to memory of 4616 4292 2066.exe 91 PID 4292 wrote to memory of 4616 4292 2066.exe 91 PID 4292 wrote to memory of 4616 4292 2066.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2066.exe"C:\Users\Admin\AppData\Local\Temp\2066.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8362⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4616
-