Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

8533ca3518...b8.exe

windows7-x64

8533ca3518...b8.exe

windows10-2004-x64

Analysis

  • max time kernel
    46s
  • max time network
    33s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2023, 10:32

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    8533ca3518ee06d6219f7eaa43a2cbb8.exe

  • Size

    79KB

  • MD5

    8533ca3518ee06d6219f7eaa43a2cbb8

  • SHA1

    b9a231ca235c7eb57d9a6e0a3d47680d291cf355

  • SHA256

    8ba7d0adb180615be8923a26b3c3259201a73f0cb70b62f38c2d43445c2e8307

  • SHA512

    8fb61a514df985b1eb4b5e6960782d2adb763079c61a71efd6a8eeea8a7fe6332f90b392bee3a6a5ebe7a9a2f74349b3b7146131546f40971a1bb1e16aa3a887

  • SSDEEP

    1536:C+T052SRYaNRyGVxxsErecOUGKqPamrzHk:OYCTfskecOJvPrE

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8533ca3518ee06d6219f7eaa43a2cbb8.exe
    "C:\Users\Admin\AppData\Local\Temp\8533ca3518ee06d6219f7eaa43a2cbb8.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Users\Admin\AppData\Local\Temp\sys3.exe
      C:\Users\Admin\AppData\Local\Temp\\sys3.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of AdjustPrivilegeToken
      PID:4908
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39f2855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\sys3.exe
    Filesize

    79KB

    MD5

    8533ca3518ee06d6219f7eaa43a2cbb8

    SHA1

    b9a231ca235c7eb57d9a6e0a3d47680d291cf355

    SHA256

    8ba7d0adb180615be8923a26b3c3259201a73f0cb70b62f38c2d43445c2e8307

    SHA512

    8fb61a514df985b1eb4b5e6960782d2adb763079c61a71efd6a8eeea8a7fe6332f90b392bee3a6a5ebe7a9a2f74349b3b7146131546f40971a1bb1e16aa3a887

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\systm.txt
    Filesize

    70B

    MD5

    753fcf709e1bfcb4720e2d7ed2d0a42a

    SHA1

    726baebda65bb15047cf503e063859d410b9983e

    SHA256

    e40bf7b8c631bc02888a610b1c92bb6bbd4230f7989a657048cd8ff012afda79

    SHA512

    8c853348a5037713fe550dd2e0a69a42059af8516db9f60055df69e71512881a06dc49b01a3527ab52ab9da18841ab4d15708af4468813133ed7e9b9f4961c8b

    Download Submit

  • memory/1808-0-0x000000002AA00000-0x000000002AA16000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1808-8-0x000000002AA00000-0x000000002AA16000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4908-6-0x000000002AA00000-0x000000002AA16000-memory.dmp

    Filesize

    88KB

    Download