Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 10:09
Static task
static1
Behavioral task
behavioral1
Sample
16320c05d8b7d2440e462b1d1fb838fe.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
16320c05d8b7d2440e462b1d1fb838fe.exe
Resource
win10v2004-20231215-en
General
-
Target
16320c05d8b7d2440e462b1d1fb838fe.exe
-
Size
557KB
-
MD5
16320c05d8b7d2440e462b1d1fb838fe
-
SHA1
112423a6352a5eda61b1f0347b1c209d84ea4e59
-
SHA256
236ce6fdd52ec0482e121196b06668f2dadf4bd1cc8a506a91c11fdbe1c6a08c
-
SHA512
2308433405295711e1b7c297df9c530caa88ee010a00385fa35376fc13178bb3646b2c863904c99ce9f2398f25e787251a76f33376cdf3696f45fa984916ec06
-
SSDEEP
12288:KcHGf9rGrlhZsiRsWFf/Vb/gxsImiQEbL6P2Dn9Vn:Kc2FY/nuQf/0zmS36+D9V
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2396 ecfcabfbddij.exe -
Loads dropped DLL 2 IoCs
pid Process 1032 16320c05d8b7d2440e462b1d1fb838fe.exe 1032 16320c05d8b7d2440e462b1d1fb838fe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3108 2396 WerFault.exe 90 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2508 wmic.exe Token: SeSecurityPrivilege 2508 wmic.exe Token: SeTakeOwnershipPrivilege 2508 wmic.exe Token: SeLoadDriverPrivilege 2508 wmic.exe Token: SeSystemProfilePrivilege 2508 wmic.exe Token: SeSystemtimePrivilege 2508 wmic.exe Token: SeProfSingleProcessPrivilege 2508 wmic.exe Token: SeIncBasePriorityPrivilege 2508 wmic.exe Token: SeCreatePagefilePrivilege 2508 wmic.exe Token: SeBackupPrivilege 2508 wmic.exe Token: SeRestorePrivilege 2508 wmic.exe Token: SeShutdownPrivilege 2508 wmic.exe Token: SeDebugPrivilege 2508 wmic.exe Token: SeSystemEnvironmentPrivilege 2508 wmic.exe Token: SeRemoteShutdownPrivilege 2508 wmic.exe Token: SeUndockPrivilege 2508 wmic.exe Token: SeManageVolumePrivilege 2508 wmic.exe Token: 33 2508 wmic.exe Token: 34 2508 wmic.exe Token: 35 2508 wmic.exe Token: 36 2508 wmic.exe Token: SeIncreaseQuotaPrivilege 2508 wmic.exe Token: SeSecurityPrivilege 2508 wmic.exe Token: SeTakeOwnershipPrivilege 2508 wmic.exe Token: SeLoadDriverPrivilege 2508 wmic.exe Token: SeSystemProfilePrivilege 2508 wmic.exe Token: SeSystemtimePrivilege 2508 wmic.exe Token: SeProfSingleProcessPrivilege 2508 wmic.exe Token: SeIncBasePriorityPrivilege 2508 wmic.exe Token: SeCreatePagefilePrivilege 2508 wmic.exe Token: SeBackupPrivilege 2508 wmic.exe Token: SeRestorePrivilege 2508 wmic.exe Token: SeShutdownPrivilege 2508 wmic.exe Token: SeDebugPrivilege 2508 wmic.exe Token: SeSystemEnvironmentPrivilege 2508 wmic.exe Token: SeRemoteShutdownPrivilege 2508 wmic.exe Token: SeUndockPrivilege 2508 wmic.exe Token: SeManageVolumePrivilege 2508 wmic.exe Token: 33 2508 wmic.exe Token: 34 2508 wmic.exe Token: 35 2508 wmic.exe Token: 36 2508 wmic.exe Token: SeIncreaseQuotaPrivilege 4428 wmic.exe Token: SeSecurityPrivilege 4428 wmic.exe Token: SeTakeOwnershipPrivilege 4428 wmic.exe Token: SeLoadDriverPrivilege 4428 wmic.exe Token: SeSystemProfilePrivilege 4428 wmic.exe Token: SeSystemtimePrivilege 4428 wmic.exe Token: SeProfSingleProcessPrivilege 4428 wmic.exe Token: SeIncBasePriorityPrivilege 4428 wmic.exe Token: SeCreatePagefilePrivilege 4428 wmic.exe Token: SeBackupPrivilege 4428 wmic.exe Token: SeRestorePrivilege 4428 wmic.exe Token: SeShutdownPrivilege 4428 wmic.exe Token: SeDebugPrivilege 4428 wmic.exe Token: SeSystemEnvironmentPrivilege 4428 wmic.exe Token: SeRemoteShutdownPrivilege 4428 wmic.exe Token: SeUndockPrivilege 4428 wmic.exe Token: SeManageVolumePrivilege 4428 wmic.exe Token: 33 4428 wmic.exe Token: 34 4428 wmic.exe Token: 35 4428 wmic.exe Token: 36 4428 wmic.exe Token: SeIncreaseQuotaPrivilege 4428 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1032 wrote to memory of 2396 1032 16320c05d8b7d2440e462b1d1fb838fe.exe 90 PID 1032 wrote to memory of 2396 1032 16320c05d8b7d2440e462b1d1fb838fe.exe 90 PID 1032 wrote to memory of 2396 1032 16320c05d8b7d2440e462b1d1fb838fe.exe 90 PID 2396 wrote to memory of 2508 2396 ecfcabfbddij.exe 91 PID 2396 wrote to memory of 2508 2396 ecfcabfbddij.exe 91 PID 2396 wrote to memory of 2508 2396 ecfcabfbddij.exe 91 PID 2396 wrote to memory of 4428 2396 ecfcabfbddij.exe 95 PID 2396 wrote to memory of 4428 2396 ecfcabfbddij.exe 95 PID 2396 wrote to memory of 4428 2396 ecfcabfbddij.exe 95 PID 2396 wrote to memory of 4460 2396 ecfcabfbddij.exe 97 PID 2396 wrote to memory of 4460 2396 ecfcabfbddij.exe 97 PID 2396 wrote to memory of 4460 2396 ecfcabfbddij.exe 97 PID 2396 wrote to memory of 2924 2396 ecfcabfbddij.exe 99 PID 2396 wrote to memory of 2924 2396 ecfcabfbddij.exe 99 PID 2396 wrote to memory of 2924 2396 ecfcabfbddij.exe 99 PID 2396 wrote to memory of 1712 2396 ecfcabfbddij.exe 101 PID 2396 wrote to memory of 1712 2396 ecfcabfbddij.exe 101 PID 2396 wrote to memory of 1712 2396 ecfcabfbddij.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\16320c05d8b7d2440e462b1d1fb838fe.exe"C:\Users\Admin\AppData\Local\Temp\16320c05d8b7d2440e462b1d1fb838fe.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\ecfcabfbddij.exeC:\Users\Admin\AppData\Local\Temp\ecfcabfbddij.exe 6)1)2)6)6)2)3)8)3)6)1 KU9HPjcvMCg0LR8pUlM8SkdBNS0aLkhEUlFJUEhBQTcvGi5CQ01SRjw6KzcvNTEaKUFGPDoqHylPUEk+U0BMXENDNzIxLC8eLEtCTFU/UV1PTEo6YHFubzQuLW1sdCs8Qk1KJ1NNSic/TUgrQ01ATh4pPUpGO0hDQzczUisqVGdBbG91Gi5CKzdMUkU/P1EaLkIsNysuGCw+MjcsLxopQjE1KisfKUMzNycvHSdNTE4+VEFOWU5PQVM7QlM8HilKUEw8Uj1TWURTRjs7HSdNTE4+VEFOWUw+RUI3HylEVj9ZU09EOhouP1dDWT1LQURGSEQ3Hy1CSVFRVz9MTlFSQ0w3MB0nUUJASEpXSU9dUkpJNx8pVUs3LB4sPFArPBouUE9IUkZFQllWP0tBSUdDRkU+QURPUUo3Gi1GS1xMVEhTR0c/O3Fqcl8fKVFDTk9QS0FLQV5PUkNMWUI+UVA3MRouRkM+Q1U1LhouQ1JdPlNMPkVGPV4/TUFMU05RPUE3ZVtrcV8aLUFHVEhLSUBCWUNOOjA1KDAyMSwtLCwyGCxOSEdEOysuMDYxNiwzMDQeKT5NVEZJSUA+XlJDR0M6LCwsNCkxLisvKDUyLTE5LjQoSkceLE0+N0xpeWdmZl8iKmMvLSoqJlFjbGFndG0qSFMpMCgvIitfJVZJVjQuIyk+aG1mZFFkYEVjciIqYy8yMS0xMCUmSEBRR0sfMWElZmdoXShBZF1qbSMlQWVqbGdkHzFkLiwsLSYvLTArLTcqJVFeXl5saB8xZC8tNSsrMxouT1FKN2JycWgiLWAfMWQfLGRkXXEoLysxMmAoZ2tebB8xYFFzaE5nal1BaXZoa21bXkteZl5hZGxeYl9qamxxIixlKzMwMzM3LywzLSQsZS8uLDc2MS8uNS0kMGArMi8xNjMxLjUxHy1kNTE0LDguNTYtMTdVKXVuTT12NVtkU3JEQF11RWc3Y0hBLXFJTkxtR1VLKkpBPW1HUjxsTWNlYlU7ZCxTP3dISj4vTUAuampTRXZqU0U+K0lARGtJLi9iT2opcF1oPGdXQWJqS0toYGRBQXFIc20=2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703716292.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703716292.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703716292.txt bios get version3⤵PID:4460
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703716292.txt bios get version3⤵PID:2924
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703716292.txt bios get version3⤵PID:1712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 8523⤵
- Program crash
PID:3108
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2396 -ip 23961⤵PID:2304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
58B
MD5dd876faf0fd44a5fab3e82368e2e8b15
SHA101b04083fa278dda3a81705ca5abcfee487a3c90
SHA2565602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9
SHA512e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b
-
Filesize
354KB
MD56443d7bf8dd7fb4423c05491c2dd55b2
SHA13d0b05d807d008f067d573547d3688cc12ed199b
SHA2563ab019591c547591220d41eb54700915ce611c1525bd37a49f65ae018ba68e3e
SHA512f98ac27a7379a18c3db1f87cf368cefe38a8f1f15ad33433bf5038a8a3eaf6cef57f00b1f821bd6764a38a924c5d25b3173225d4832d928b26bbaa0b8941a30f
-
Filesize
22KB
MD5db1ee0ab458ebca71e819baf24f423ba
SHA15481a9323c714ec94dda78755a5d35abda969f03
SHA2569c69aa81e1b15433ad6cdfa82c4bff7be587070fd33c5189f32d3499a2aae1aa
SHA512493f9ce9c6f604a381518e90747bb3d2c766f46331d33d46d45d8b89d7d7284dec703a57d26bfbd4e477fe7e6d4277e5666c53ca22d3cf8f420c17c404216f7f
-
Filesize
121KB
MD5daeaf465e2583962efc14f694599be9a
SHA170d34e6c4a875b5d648409203732b4ae4cde17c9
SHA256c381de850bddd84c5fb99c84d47a8d86d40146f8242d343db6579b7468d720bb
SHA5128d349759236e77b402f30581bc044f474d34b889a522261065f8943fbd9f997b45494249f523021e28b3bc41409414f9f985347b76adfc58445bae4ca86a97a1
-
Filesize
40KB
MD55f13dbc378792f23e598079fc1e4422b
SHA15813c05802f15930aa860b8363af2b58426c8adf
SHA2566e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d
SHA5129270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5