Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 02:46
Static task
static1
Behavioral task
behavioral1
Sample
00d119fc464e81f503dfe92e407e8297.exe
Resource
win7-20231215-en
General
-
Target
00d119fc464e81f503dfe92e407e8297.exe
-
Size
2.3MB
-
MD5
00d119fc464e81f503dfe92e407e8297
-
SHA1
f57eb560df81f870b6fb865337c273486dfdc721
-
SHA256
8da107ea5a07ea1a4ab6c033782d8c0df570f788559d3c6c3b72d452b347e583
-
SHA512
0834f67cf3e77435279392064ae0d27c70ba01f6113cf65359e5b6887dfaa0c585485f19eb5a7e43c0acd52cdf32c76a2b945c688ccde293f78c17c342373131
-
SSDEEP
49152:IXWpU1Dost4jUlU/fzcINWRVE67RsNKWFT+yAirGCz:IXWps4jCV90TFTFz6+
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 00d119fc464e81f503dfe92e407e8297.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe 1220 00d119fc464e81f503dfe92e407e8297.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 00d119fc464e81f503dfe92e407e8297.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 00d119fc464e81f503dfe92e407e8297.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 00d119fc464e81f503dfe92e407e8297.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 00d119fc464e81f503dfe92e407e8297.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 00d119fc464e81f503dfe92e407e8297.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeSecurityPrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeTakeOwnershipPrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeLoadDriverPrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeSystemProfilePrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeSystemtimePrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeProfSingleProcessPrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeIncBasePriorityPrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeCreatePagefilePrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeBackupPrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeRestorePrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeShutdownPrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeDebugPrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeSystemEnvironmentPrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeChangeNotifyPrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeRemoteShutdownPrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeUndockPrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeManageVolumePrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeImpersonatePrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: SeCreateGlobalPrivilege 1220 00d119fc464e81f503dfe92e407e8297.exe Token: 33 1220 00d119fc464e81f503dfe92e407e8297.exe Token: 34 1220 00d119fc464e81f503dfe92e407e8297.exe Token: 35 1220 00d119fc464e81f503dfe92e407e8297.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\00d119fc464e81f503dfe92e407e8297.exe"C:\Users\Admin\AppData\Local\Temp\00d119fc464e81f503dfe92e407e8297.exe"1⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1220