Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 00:46
Static task
static1
Behavioral task
behavioral1
Sample
475e179c47be2b99f5a7e648fa93c37f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
475e179c47be2b99f5a7e648fa93c37f.exe
Resource
win10v2004-20231215-en
General
-
Target
475e179c47be2b99f5a7e648fa93c37f.exe
-
Size
64KB
-
MD5
475e179c47be2b99f5a7e648fa93c37f
-
SHA1
b3c174b36797a997fbde7c510aab2e75ba08c180
-
SHA256
70cfd9c937d95a62f8cd555873a02eb4c86005382c05b554b3719c2939bacad5
-
SHA512
89ddb8f6d85118a0c2db7826f59594dd72b4c2ce98290994dd42e73e69accbd7fceb1997a07864e95c11fb3c337edc8edbe2dcaa12de8842c9ed705800e636a0
-
SSDEEP
768:gIsnfK9Oqn5HZJiXyS2+MscZsGCeIwrvtQ1j9l8/nxNY66xnH:MfK/55JvxD6Gen1jYxG66xH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3016 GetTran.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\zydxc.dat 475e179c47be2b99f5a7e648fa93c37f.exe File opened for modification C:\Windows\SysWOW64\zydxc2.dat 475e179c47be2b99f5a7e648fa93c37f.exe File created C:\Windows\SysWOW64\zydxc.dat 475e179c47be2b99f5a7e648fa93c37f.exe File created C:\Windows\SysWOW64\zydxc2.dat 475e179c47be2b99f5a7e648fa93c37f.exe File created C:\windows\SysWOW64\WindowsCad32.exe 475e179c47be2b99f5a7e648fa93c37f.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created \??\c:\Windows\GetTran.exe 475e179c47be2b99f5a7e648fa93c37f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4556 475e179c47be2b99f5a7e648fa93c37f.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4556 wrote to memory of 3016 4556 475e179c47be2b99f5a7e648fa93c37f.exe 18 PID 4556 wrote to memory of 3016 4556 475e179c47be2b99f5a7e648fa93c37f.exe 18 PID 4556 wrote to memory of 3016 4556 475e179c47be2b99f5a7e648fa93c37f.exe 18 PID 4556 wrote to memory of 4864 4556 475e179c47be2b99f5a7e648fa93c37f.exe 92 PID 4556 wrote to memory of 4864 4556 475e179c47be2b99f5a7e648fa93c37f.exe 92 PID 4556 wrote to memory of 4864 4556 475e179c47be2b99f5a7e648fa93c37f.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\475e179c47be2b99f5a7e648fa93c37f.exe"C:\Users\Admin\AppData\Local\Temp\475e179c47be2b99f5a7e648fa93c37f.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\Windows\GetTran.exec:\Windows\GetTran.exe2⤵
- Executes dropped EXE
PID:3016
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\475E17~1.EXE > nul2⤵PID:4864
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD55381167509544853bd2c6302d532b292
SHA15e4335e60f04f37e0a74bee0447822d95e6bbf57
SHA25606fb19cf6bf528e15f4b59fc9be36215037a12205ce8fa128873d5555f6fb017
SHA512132576e3231e589902736cf31d0699af9b2900031822c649431779e32bb2da78eba508db5936a77439df7216eb4c981d19d8ad327c2105c90283b6550839d4c5
-
Filesize
19B
MD5bfa92f1fdab95ce14fda01cef503034d
SHA13e47b39c978dc1167d490f976e5e06dc8db04279
SHA2568cb610a280dbdcbc2cc7b24e3488354750dc95c8f1dd292a084c660f28efec96
SHA512302e0565b91d884fc75a2c16e6712b155333cd7bd11b76be70585ee0cb1d8833d0583cd97137ea37ae6396a913b739887a8bbbfa0c5c94da84cd42eb3c3efad8