Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 14:57
Static task
static1
Behavioral task
behavioral1
Sample
774d1d8c187293d9c17e9b63c6f5b0fb.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
774d1d8c187293d9c17e9b63c6f5b0fb.exe
Resource
win10v2004-20231215-en
General
-
Target
774d1d8c187293d9c17e9b63c6f5b0fb.exe
-
Size
56KB
-
MD5
774d1d8c187293d9c17e9b63c6f5b0fb
-
SHA1
511f2f1edd7b73c01d1ac66189dcb6196ff09123
-
SHA256
77ebaecf2f32c4685d51931563e628841b0334c0d351d5b38d9b29b4f0f04066
-
SHA512
5ca5962117489bdf8edb70b64faf887a745437ef10d875a55e92c2a43701433b4f1674aabdaddd70cdd25981392c5095c8b3192fb4f8b76d9d00f8377fa2c385
-
SSDEEP
768:PfhXhwYuTmoKY73ROuiEGMTRO9xmcEZc77CZIdbGN5Gd:PfpKYuK83wpE9Ex3TKZiX
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 11 3588 rundll32.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 3588 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2283880F-EF87-4aac-8EBD-C9BCC8494AF5_43 = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\2283880F-EF87-4aac-8EBD-C9BCC8494AF5_43.avi\", start" rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3588 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4932 wrote to memory of 3588 4932 774d1d8c187293d9c17e9b63c6f5b0fb.exe 92 PID 4932 wrote to memory of 3588 4932 774d1d8c187293d9c17e9b63c6f5b0fb.exe 92 PID 4932 wrote to memory of 3588 4932 774d1d8c187293d9c17e9b63c6f5b0fb.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\774d1d8c187293d9c17e9b63c6f5b0fb.exe"C:\Users\Admin\AppData\Local\Temp\774d1d8c187293d9c17e9b63c6f5b0fb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\ins518B.tmp", start first worker2⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5785037329f4826c295874a0e20763f3c
SHA168228519e8fe8cc09d07b7521a450aee6981939f
SHA256d0bd35bcbedb5416b4f3b003f448815eee21f8ae83d4f4762c19a86631040598
SHA512baf7c760ee43dab8e9878c2d7e924a0b699eedf98c64fd1dfe6ec6cb9bfa4914231872cd0f1fe5cb89c0ae918562a85e29457e36fbb2b8d4f4e1cf706e4eb201