Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
178s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 18:01
Static task
static1
Behavioral task
behavioral1
Sample
0a37ecfea5074fff2de431e643e74af0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0a37ecfea5074fff2de431e643e74af0.exe
Resource
win10v2004-20231215-en
General
-
Target
0a37ecfea5074fff2de431e643e74af0.exe
-
Size
693KB
-
MD5
0a37ecfea5074fff2de431e643e74af0
-
SHA1
4ff3dfa39ae7fd46772c30ff547ed935e134396f
-
SHA256
114ad38ef50939dbc71a24923dff65aad0167b7679805d3c3a5a2fd4b6925247
-
SHA512
7ee5854e7e3cebf76de910b47f427095c420cd27c227d74cd0c62e44f2adfc429c1abb02391cc7ca15df28a99ce471c4912d4a41fc43e234d78029f330f3c33f
-
SSDEEP
12288:tSIzbMSwyUI2buNNqwfVsQV2wWU4dh2hPnmrTVr5i38VeUbBxjv:tSibMSws2SqwGuZUgz3kXjv
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5060 0a37ecfea5074fff2de431e643e74af0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\Sample.lnk" 0a37ecfea5074fff2de431e643e74af0.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 0a37ecfea5074fff2de431e643e74af0.exe File opened for modification C:\Windows\assembly\Desktop.ini 0a37ecfea5074fff2de431e643e74af0.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4660 set thread context of 5060 4660 0a37ecfea5074fff2de431e643e74af0.exe 104 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly 0a37ecfea5074fff2de431e643e74af0.exe File created C:\Windows\assembly\Desktop.ini 0a37ecfea5074fff2de431e643e74af0.exe File opened for modification C:\Windows\assembly\Desktop.ini 0a37ecfea5074fff2de431e643e74af0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4660 0a37ecfea5074fff2de431e643e74af0.exe 4660 0a37ecfea5074fff2de431e643e74af0.exe 4660 0a37ecfea5074fff2de431e643e74af0.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5060 0a37ecfea5074fff2de431e643e74af0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4660 0a37ecfea5074fff2de431e643e74af0.exe Token: SeDebugPrivilege 5060 0a37ecfea5074fff2de431e643e74af0.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5060 0a37ecfea5074fff2de431e643e74af0.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4660 wrote to memory of 1508 4660 0a37ecfea5074fff2de431e643e74af0.exe 99 PID 4660 wrote to memory of 1508 4660 0a37ecfea5074fff2de431e643e74af0.exe 99 PID 4660 wrote to memory of 1508 4660 0a37ecfea5074fff2de431e643e74af0.exe 99 PID 4660 wrote to memory of 2764 4660 0a37ecfea5074fff2de431e643e74af0.exe 101 PID 4660 wrote to memory of 2764 4660 0a37ecfea5074fff2de431e643e74af0.exe 101 PID 4660 wrote to memory of 2764 4660 0a37ecfea5074fff2de431e643e74af0.exe 101 PID 4660 wrote to memory of 5060 4660 0a37ecfea5074fff2de431e643e74af0.exe 104 PID 4660 wrote to memory of 5060 4660 0a37ecfea5074fff2de431e643e74af0.exe 104 PID 4660 wrote to memory of 5060 4660 0a37ecfea5074fff2de431e643e74af0.exe 104 PID 4660 wrote to memory of 5060 4660 0a37ecfea5074fff2de431e643e74af0.exe 104 PID 4660 wrote to memory of 5060 4660 0a37ecfea5074fff2de431e643e74af0.exe 104 PID 4660 wrote to memory of 5060 4660 0a37ecfea5074fff2de431e643e74af0.exe 104 PID 4660 wrote to memory of 5060 4660 0a37ecfea5074fff2de431e643e74af0.exe 104 PID 4660 wrote to memory of 5060 4660 0a37ecfea5074fff2de431e643e74af0.exe 104 PID 4660 wrote to memory of 5060 4660 0a37ecfea5074fff2de431e643e74af0.exe 104 PID 4660 wrote to memory of 5060 4660 0a37ecfea5074fff2de431e643e74af0.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe"C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\CMD.exe"CMD"2⤵PID:1508
-
-
C:\Windows\SysWOW64\CMD.exe"CMD"2⤵PID:2764
-
-
C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe"C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5060
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261KB
MD5dbce389074fbbf5c3021a3419b9a46d0
SHA11b31cc5b7a071315ed12932e7611384bcb34fb64
SHA25608b548a8eb26c2a65300519a973dd239750fe51299a0352755e66665fb02ea20
SHA51231fa2049389502ea159410b83af659629b9b82ced022206f6660a195b0388068355342e235edd03c72c1f3105ea5bab53f72d2c8c42d6393c0539dde7fca5c4d