Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 18:05
Behavioral task
behavioral1
Sample
3334cb43b69c61d33289b4cf8a5e16f6.exe
Resource
win7-20231215-en
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
3334cb43b69c61d33289b4cf8a5e16f6.exe
Resource
win10v2004-20231215-en
5 signatures
150 seconds
General
-
Target
3334cb43b69c61d33289b4cf8a5e16f6.exe
-
Size
1.7MB
-
MD5
3334cb43b69c61d33289b4cf8a5e16f6
-
SHA1
f70b0becd639338a427f6424a2272178f58dae53
-
SHA256
34f17c9cdba6e3bb9340628e32c2fc2e7f65223530549d32fa1ee1b5dc184a68
-
SHA512
e33d7f0325781eb7a6cad0fec7a4655620f21464215bde52fa8f7bd00632d26724940891d66dcf617a1ee43f4b73077d950da400c28df0f895014a384fd0d8ee
-
SSDEEP
49152:610vJAyGlATIXdM7RQTE7JBKqf+Fj8McTFgIEIv:hJAyGCTIXdMiY7+qGB8DgIEIv
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2568 sg.tmp -
resource yara_rule behavioral2/memory/4652-0-0x0000000000400000-0x0000000000545000-memory.dmp upx behavioral2/memory/4652-44-0x0000000000400000-0x0000000000545000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeBackupPrivilege 4652 3334cb43b69c61d33289b4cf8a5e16f6.exe Token: SeRestorePrivilege 4652 3334cb43b69c61d33289b4cf8a5e16f6.exe Token: 33 4652 3334cb43b69c61d33289b4cf8a5e16f6.exe Token: SeIncBasePriorityPrivilege 4652 3334cb43b69c61d33289b4cf8a5e16f6.exe Token: SeCreateGlobalPrivilege 4652 3334cb43b69c61d33289b4cf8a5e16f6.exe Token: 33 4652 3334cb43b69c61d33289b4cf8a5e16f6.exe Token: SeIncBasePriorityPrivilege 4652 3334cb43b69c61d33289b4cf8a5e16f6.exe Token: 33 4652 3334cb43b69c61d33289b4cf8a5e16f6.exe Token: SeIncBasePriorityPrivilege 4652 3334cb43b69c61d33289b4cf8a5e16f6.exe Token: SeRestorePrivilege 2568 sg.tmp Token: 35 2568 sg.tmp Token: SeSecurityPrivilege 2568 sg.tmp Token: SeSecurityPrivilege 2568 sg.tmp -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4652 wrote to memory of 1924 4652 3334cb43b69c61d33289b4cf8a5e16f6.exe 14 PID 4652 wrote to memory of 1924 4652 3334cb43b69c61d33289b4cf8a5e16f6.exe 14 PID 4652 wrote to memory of 2568 4652 3334cb43b69c61d33289b4cf8a5e16f6.exe 20 PID 4652 wrote to memory of 2568 4652 3334cb43b69c61d33289b4cf8a5e16f6.exe 20 PID 4652 wrote to memory of 2568 4652 3334cb43b69c61d33289b4cf8a5e16f6.exe 20
Processes
-
C:\Users\Admin\AppData\Local\Temp\3334cb43b69c61d33289b4cf8a5e16f6.exe"C:\Users\Admin\AppData\Local\Temp\3334cb43b69c61d33289b4cf8a5e16f6.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c set2⤵PID:1924
-
-
C:\Users\Admin\AppData\Local\Temp\~523951933799082400\StopUpdates10.exe"C:\Users\Admin\AppData\Local\Temp\~523951933799082400\StopUpdates10.exe"2⤵PID:2432
-
-
C:\Users\Admin\AppData\Local\Temp\~6256502254128069468~\sg.tmp7zG_exe x "C:\Users\Admin\AppData\Local\Temp\3334cb43b69c61d33289b4cf8a5e16f6.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~523951933799082400"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2568
-