Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
202s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
24/11/2023, 06:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
TokenBroker.exe
Resource
win7-20231020-en
1 signatures
150 seconds
Behavioral task
behavioral2
Sample
TokenBroker.exe
Resource
win10v2004-20231023-en
1 signatures
150 seconds
General
-
Target
TokenBroker.exe
-
Size
450KB
-
MD5
62adf1c05748656fce6bbb99a4e0d517
-
SHA1
ff2dcb97c76aab26334fe031c3a0e7c0e4b94f25
-
SHA256
c88aeb0fb3b2e793a08caf2c040c24e1f5b6eddec61c22b484862d4428a0af03
-
SHA512
6f92de67a16081ec9954b44821cd06ea1facf7877196413ff76c028bf359a8ab486b34a82da74b20364524b0bdbc4949e0197fce14e7f4e7776b794d6ae98a9a
-
SSDEEP
12288:SAzy+91FLh+moqhjdzADZMdTy+mevAKuBsEYYYNxnz:SAzy+H/jdzyZStf9uEZz
Score
1/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1936 wrote to memory of 2056 1936 TokenBroker.exe 28 PID 1936 wrote to memory of 2056 1936 TokenBroker.exe 28 PID 1936 wrote to memory of 2056 1936 TokenBroker.exe 28 PID 2056 wrote to memory of 2052 2056 TokenBroker.exe 29 PID 2056 wrote to memory of 2052 2056 TokenBroker.exe 29 PID 2056 wrote to memory of 2052 2056 TokenBroker.exe 29 PID 2052 wrote to memory of 2036 2052 TokenBroker.exe 30 PID 2052 wrote to memory of 2036 2052 TokenBroker.exe 30 PID 2052 wrote to memory of 2036 2052 TokenBroker.exe 30 PID 2036 wrote to memory of 3004 2036 TokenBroker.exe 31 PID 2036 wrote to memory of 3004 2036 TokenBroker.exe 31 PID 2036 wrote to memory of 3004 2036 TokenBroker.exe 31 PID 3004 wrote to memory of 1740 3004 TokenBroker.exe 32 PID 3004 wrote to memory of 1740 3004 TokenBroker.exe 32 PID 3004 wrote to memory of 1740 3004 TokenBroker.exe 32 PID 1740 wrote to memory of 2444 1740 TokenBroker.exe 33 PID 1740 wrote to memory of 2444 1740 TokenBroker.exe 33 PID 1740 wrote to memory of 2444 1740 TokenBroker.exe 33 PID 2444 wrote to memory of 2344 2444 TokenBroker.exe 34 PID 2444 wrote to memory of 2344 2444 TokenBroker.exe 34 PID 2444 wrote to memory of 2344 2444 TokenBroker.exe 34 PID 2344 wrote to memory of 2708 2344 TokenBroker.exe 35 PID 2344 wrote to memory of 2708 2344 TokenBroker.exe 35 PID 2344 wrote to memory of 2708 2344 TokenBroker.exe 35 PID 2708 wrote to memory of 2852 2708 TokenBroker.exe 36 PID 2708 wrote to memory of 2852 2708 TokenBroker.exe 36 PID 2708 wrote to memory of 2852 2708 TokenBroker.exe 36 PID 2852 wrote to memory of 2736 2852 TokenBroker.exe 37 PID 2852 wrote to memory of 2736 2852 TokenBroker.exe 37 PID 2852 wrote to memory of 2736 2852 TokenBroker.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe"C:\Users\Admin\AppData\Local\Temp\TokenBroker.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\TokenBroker.exeC:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 12⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\TokenBroker.exeC:\Users\Admin\AppData\Local\Temp\TokenBroker.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\TokenBroker.exeC:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 14⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\TokenBroker.exeC:\Users\Admin\AppData\Local\Temp\TokenBroker.exe5⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\TokenBroker.exeC:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 16⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\TokenBroker.exeC:\Users\Admin\AppData\Local\Temp\TokenBroker.exe7⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\TokenBroker.exeC:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 18⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\TokenBroker.exeC:\Users\Admin\AppData\Local\Temp\TokenBroker.exe9⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\TokenBroker.exeC:\Users\Admin\AppData\Local\Temp\TokenBroker.exe 110⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\TokenBroker.exeC:\Users\Admin\AppData\Local\Temp\TokenBroker.exe11⤵PID:2736
-
-
-
-
-
-
-
-
-
-