Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2023, 22:35

General

  • Target

    162703deea462cdb2dc2320b9c4bcb75.exe

  • Size

    581KB

  • MD5

    162703deea462cdb2dc2320b9c4bcb75

  • SHA1

    9047596740a6630875a6f89e8589bb88f56e62f7

  • SHA256

    165e6872a8d9a57fe09bbe56e9ec7facd8fef97a18430fccb6416cde88644157

  • SHA512

    f762f77dd8b1886167f4ad764e100ddcd5909a90717eecffe6fda9a7af3dd08dac954443ec315e4991835f1acce8f062ac2e5c3ab6009b4c1999f6cf84a58b83

  • SSDEEP

    12288:alJC73yJg1PYuWJp9f++3QLa3nL0lqLbt3nQgfGA2reW4AfAcktWTEmF:a/wug1gxfZ3QLKniqN3nQgf6rH4ckWp

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\162703deea462cdb2dc2320b9c4bcb75.exe
    "C:\Users\Admin\AppData\Local\Temp\162703deea462cdb2dc2320b9c4bcb75.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Users\Admin\AppData\Local\Temp\1431842551.exe
      C:\Users\Admin\AppData\Local\Temp\1431842551.exe 1/7/0/2/4/8/8/6/9/3/2 LklJQjkrKCwpHS1STkJORTw1KhcsTERNV01OQ0E+NC0eLj1JUVBBPDcpNDA2KyAtP0E8NycdLU9LT0JRO0xZQEE7MC85MhwnSz9JU0NRWFVQSDVgbmttOC4oc3ByJjw/SkgrU0hQKz1ISChAS0ROGS9BSEE7RUBBO3ZKME0vTCktLUpHUDBNN0coSU5HL05MOiAtQCk1KygtLjQZL0IuNSUrFyxCMjYtLxwnPC40Ki8fKEQzOSUpGiZNUE49VUFQV0hMQFM/QlI9HitISkk7UkFTWEVTSDk1GiZNUE49VUFQV0Y7REI7HyhFVkFXTUxDOh4uPlhDWztFPkNGTEQ2IC1ER0tOVj9QTlBTQ041KBomUUZAR0tXS01XT0lJOx8oVks5KhgpO1AvPBkvUFFGTENEQl1WPkxBS0U9Q0Q+RUROUko5GCdDSlxQVEdUR0k9NW5pcmMfKFJDUE1KSEBLRV5OU0NOVzw7UFA7MRkvRkU8PVI0Lh4uQlNdQFFGO0RGQV4+TkFOUUhOPEE7ZVpscWEYJz5GVExLSEFCW0FINy0zLDApMiw0JikvKR0tU0JNQzkpLC0oNTI0LTMzHCc8SU5LSk46RF1QQUU/NDItMDAvMCwpLSQtNzMvMzMzJjlFGiZSPzxGb3hlZGRbHC9kNCcwKSRPYWhbbHVyJE5SJy4mKxwwYCpNcmdgXWZuHC9kNicwIy9aI2xtIjFgKjEsLCEjZmBoYypAZWFnZxgpTE9KPGF0cmwdK1scL2QkK2ZlYWwpKCcuLzBdZXFlX2YoYGtkbh4yZE5tZk5gamNDaHdsaGdZXkRebGBgZXBbXF1qY2x3JCtmLzArKTIrMjIyLyUwYlxncWVpbWBdbV9qWV9faSIwZSo0MS0wLC8rMDQkLGY2MC4xMi0xNzQuOVYuPm1MYDVzTitjMkhhW2tDZkBhR1N1dkNMQ2tFVVAuS3cscERjQWlNQmxkVj8oK0U6aG9LPHdmVHFjK0JQcWNRQy4xQjtxX1R3di5Kd2NdUGQ8LUlCcGRWaU5lUj5XYGBPdzJeZHBtWlRtY1AyWGhPZVRiVHhVc1N3YEBEUDhsSmk/RU9RKHBMO0NESz5oTk9xZENKUXFjUlYvblJMYWs=
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3800
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703546781.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4552
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703546781.txt bios get version
        3⤵
          PID:1268
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81703546781.txt bios get version
          3⤵
            PID:3728
          • C:\Windows\SysWOW64\Wbem\wmic.exe
            wmic /output:C:\Users\Admin\AppData\Local\Temp\81703546781.txt bios get version
            3⤵
              PID:2224
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 900
              3⤵
              • Program crash
              PID:1720
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81703546781.txt bios get serialnumber
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4728
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3800 -ip 3800
          1⤵
            PID:2348

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\1431842551.exe

            Filesize

            757KB

            MD5

            ba17e612053df15fbb570fb28dbbbc80

            SHA1

            8c58cee99fbd9394c7fbd5770afe437e99447567

            SHA256

            4df67a7e05f6d36a2a1fa0c80c8aecaaf6cc3997edaf5c5f5b955f66345ce457

            SHA512

            d78f8418321bb71d891eb6936f97649cc0e84152e3c813b3d99729b12a19dfd36028d671daf3278782f075cf3eac3893e5cd20bae126c262fd75f1419b5aac30

          • C:\Users\Admin\AppData\Local\Temp\1431842551.exe

            Filesize

            788KB

            MD5

            f064678b83ee6fb859744275b9e5f51b

            SHA1

            66166c3418f7c49a9b999417fd837c3ece1b9d47

            SHA256

            14dd610f549a06e1317e730af2bd6eb6c434ecff0855570b3540dca820a348cc

            SHA512

            f085002b5128227099861b1cba5048e3fa59c20a6dc62ef4e0c88d3b56e8cb7184373788069c11e303041e6cf1ada761c5f8f3807a1c819fcd688dff04acd196

          • C:\Users\Admin\AppData\Local\Temp\81703546781.txt

            Filesize

            66B

            MD5

            9025468f85256136f923096b01375964

            SHA1

            7fcd174999661594fa5f88890ffb195e9858cc52

            SHA256

            d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

            SHA512

            92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

          • C:\Users\Admin\AppData\Local\Temp\81703546781.txt

            Filesize

            2B

            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

          • C:\Users\Admin\AppData\Local\Temp\81703546781.txt

            Filesize

            58B

            MD5

            dd876faf0fd44a5fab3e82368e2e8b15

            SHA1

            01b04083fa278dda3a81705ca5abcfee487a3c90

            SHA256

            5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

            SHA512

            e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

          • C:\Users\Admin\AppData\Local\Temp\nss593D.tmp\nraigbw.dll

            Filesize

            153KB

            MD5

            fbc2f25eece1f6307c2988c4e34d2e30

            SHA1

            a1bf3b628c671cbb1528122e554086e851ff8073

            SHA256

            01ac6332290592c8d229fb2a650c7ce6fde6a3fe40025045adafb76b718cf140

            SHA512

            d54f8f2bcf2183c448e336543a592f318b91cd8563a2fee436d451d82640fec1fe0927a807e505664c31b3502766cb71bc7628fa6a0b351fb271b1fa13f2909e

          • C:\Users\Admin\AppData\Local\Temp\nss593D.tmp\nsisunz.dll

            Filesize

            40KB

            MD5

            5f13dbc378792f23e598079fc1e4422b

            SHA1

            5813c05802f15930aa860b8363af2b58426c8adf

            SHA256

            6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

            SHA512

            9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5