Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 00:40
Static task
static1
Behavioral task
behavioral1
Sample
1d97f27045f931d33b012179131cf689.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1d97f27045f931d33b012179131cf689.exe
Resource
win10v2004-20231222-en
General
-
Target
1d97f27045f931d33b012179131cf689.exe
-
Size
142KB
-
MD5
1d97f27045f931d33b012179131cf689
-
SHA1
faec552361d8e2c32be432d090aaa1f9efbda371
-
SHA256
3ec328ecad53bd3e2e88212ceb62777b8d282ef34fab48a23d96a5460a6983c6
-
SHA512
5840fa19f513ddd9b25d29ce1afaeee517c790b463c72d26110983c603d50ab1489b10daa71df9a9c9dce9b0cfb32846c2b1b180715d5390affe86b8a4cd47bc
-
SSDEEP
3072:inOn7t7XpdpCCTg/sxFgJKeqgKJ+BCFCmHXiv9L79Pi/ykb8paIOo:iKpdcCrTdgKkP9L79PNAZIOo
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3720 downloadmr.exe -
Loads dropped DLL 2 IoCs
pid Process 4296 1d97f27045f931d33b012179131cf689.exe 4296 1d97f27045f931d33b012179131cf689.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3720 downloadmr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3720 downloadmr.exe 3720 downloadmr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4296 wrote to memory of 3720 4296 1d97f27045f931d33b012179131cf689.exe 22 PID 4296 wrote to memory of 3720 4296 1d97f27045f931d33b012179131cf689.exe 22 PID 4296 wrote to memory of 3720 4296 1d97f27045f931d33b012179131cf689.exe 22
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d97f27045f931d33b012179131cf689.exe"C:\Users\Admin\AppData\Local\Temp\1d97f27045f931d33b012179131cf689.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\nsp45D5.tmp\downloadmr.exeC:\Users\Admin\AppData\Local\Temp\nsp45D5.tmp\downloadmr.exe /u4dc9054e-38b0-4614-bdd5-20605bc06f26 /e491792⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD55ebc73650256e9c8ddbcda231db829a1
SHA1988d4535e18754ab2a6248abae96c5697d7dbcd5
SHA2561eaa543842df7795404184e8892a1654b0773dbc9bd8b54c7fdb9e68f4355493
SHA512b21266e76fc7263af982a1336a766e47ccf348ed56b305dbb09f03574c9b2a7309f12200e80d86f9a251381be6e87a41206447f11c51899cb31fba10da1d5270
-
Filesize
54KB
MD5ec4db8bab54a0eb74e999b8a00d32f8b
SHA1db9af184dc0df1f4c05382215db6a31e187d7084
SHA256778877c4c7f416119a1ef4bd6ed707c7448e3797026a00ad8bb0d07b3ecf9a11
SHA512fdf475682a7eef42aef31180b2442ed6c85afcd2d0228ef07e106456e2783b3192a79c6ecca95ba77d1c3116f1ea4e4cb43419f25a3faff887877a6a33df6c6f
-
Filesize
32KB
MD52327cc85c656faafb70b43d7e7db8b27
SHA14b0f9ccb52ceb675eaaa569652f314f84ed2219d
SHA256c07871ff5e94a427d517ade51fb549353d609c599293c6a412a9a81870ac71db
SHA512427b0df9c487b2ffee5b2e37865a015eb1039b41831d377434265092872d4f34f41e66638e0ce4f5496984e8380d4bdca9a995d026aebcf01aa40b40365ee6ba