Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 23:33
Static task
static1
Behavioral task
behavioral1
Sample
070e3ff107ca0e216cc4c230de731ad7.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
070e3ff107ca0e216cc4c230de731ad7.exe
Resource
win10v2004-20231222-en
General
-
Target
070e3ff107ca0e216cc4c230de731ad7.exe
-
Size
420KB
-
MD5
070e3ff107ca0e216cc4c230de731ad7
-
SHA1
15e4a8ef29dcbb85c33eb185aecfa4e301941924
-
SHA256
24996f3212ef5245e578102e53bfe3783fc2348ec9cd9568d3c57b7c3b533dff
-
SHA512
35fc2923469bd6844caf59b01c6c2cebfde1360d04b57eeab1afa6cf3955e01577e8000a0a9d0ca9ea2089c2c610a3ed2a4e8e670aa1f3b3e377833269239583
-
SSDEEP
12288:4FaKZ88egt1IqqFXb3MJzttF4Ahmykdf:4FaKq+TqJb8JBtaPys
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 3316 070e3ff107ca0e216cc4c230de731ad7.exe 3316 070e3ff107ca0e216cc4c230de731ad7.exe 3316 070e3ff107ca0e216cc4c230de731ad7.exe 3316 070e3ff107ca0e216cc4c230de731ad7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 5056 WMIC.exe Token: SeSecurityPrivilege 5056 WMIC.exe Token: SeTakeOwnershipPrivilege 5056 WMIC.exe Token: SeLoadDriverPrivilege 5056 WMIC.exe Token: SeSystemProfilePrivilege 5056 WMIC.exe Token: SeSystemtimePrivilege 5056 WMIC.exe Token: SeProfSingleProcessPrivilege 5056 WMIC.exe Token: SeIncBasePriorityPrivilege 5056 WMIC.exe Token: SeCreatePagefilePrivilege 5056 WMIC.exe Token: SeBackupPrivilege 5056 WMIC.exe Token: SeRestorePrivilege 5056 WMIC.exe Token: SeShutdownPrivilege 5056 WMIC.exe Token: SeDebugPrivilege 5056 WMIC.exe Token: SeSystemEnvironmentPrivilege 5056 WMIC.exe Token: SeRemoteShutdownPrivilege 5056 WMIC.exe Token: SeUndockPrivilege 5056 WMIC.exe Token: SeManageVolumePrivilege 5056 WMIC.exe Token: 33 5056 WMIC.exe Token: 34 5056 WMIC.exe Token: 35 5056 WMIC.exe Token: 36 5056 WMIC.exe Token: SeIncreaseQuotaPrivilege 5056 WMIC.exe Token: SeSecurityPrivilege 5056 WMIC.exe Token: SeTakeOwnershipPrivilege 5056 WMIC.exe Token: SeLoadDriverPrivilege 5056 WMIC.exe Token: SeSystemProfilePrivilege 5056 WMIC.exe Token: SeSystemtimePrivilege 5056 WMIC.exe Token: SeProfSingleProcessPrivilege 5056 WMIC.exe Token: SeIncBasePriorityPrivilege 5056 WMIC.exe Token: SeCreatePagefilePrivilege 5056 WMIC.exe Token: SeBackupPrivilege 5056 WMIC.exe Token: SeRestorePrivilege 5056 WMIC.exe Token: SeShutdownPrivilege 5056 WMIC.exe Token: SeDebugPrivilege 5056 WMIC.exe Token: SeSystemEnvironmentPrivilege 5056 WMIC.exe Token: SeRemoteShutdownPrivilege 5056 WMIC.exe Token: SeUndockPrivilege 5056 WMIC.exe Token: SeManageVolumePrivilege 5056 WMIC.exe Token: 33 5056 WMIC.exe Token: 34 5056 WMIC.exe Token: 35 5056 WMIC.exe Token: 36 5056 WMIC.exe Token: SeIncreaseQuotaPrivilege 4488 WMIC.exe Token: SeSecurityPrivilege 4488 WMIC.exe Token: SeTakeOwnershipPrivilege 4488 WMIC.exe Token: SeLoadDriverPrivilege 4488 WMIC.exe Token: SeSystemProfilePrivilege 4488 WMIC.exe Token: SeSystemtimePrivilege 4488 WMIC.exe Token: SeProfSingleProcessPrivilege 4488 WMIC.exe Token: SeIncBasePriorityPrivilege 4488 WMIC.exe Token: SeCreatePagefilePrivilege 4488 WMIC.exe Token: SeBackupPrivilege 4488 WMIC.exe Token: SeRestorePrivilege 4488 WMIC.exe Token: SeShutdownPrivilege 4488 WMIC.exe Token: SeDebugPrivilege 4488 WMIC.exe Token: SeSystemEnvironmentPrivilege 4488 WMIC.exe Token: SeRemoteShutdownPrivilege 4488 WMIC.exe Token: SeUndockPrivilege 4488 WMIC.exe Token: SeManageVolumePrivilege 4488 WMIC.exe Token: 33 4488 WMIC.exe Token: 34 4488 WMIC.exe Token: 35 4488 WMIC.exe Token: 36 4488 WMIC.exe Token: SeIncreaseQuotaPrivilege 4488 WMIC.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3316 wrote to memory of 5056 3316 070e3ff107ca0e216cc4c230de731ad7.exe 34 PID 3316 wrote to memory of 5056 3316 070e3ff107ca0e216cc4c230de731ad7.exe 34 PID 3316 wrote to memory of 5056 3316 070e3ff107ca0e216cc4c230de731ad7.exe 34 PID 3316 wrote to memory of 4488 3316 070e3ff107ca0e216cc4c230de731ad7.exe 25 PID 3316 wrote to memory of 4488 3316 070e3ff107ca0e216cc4c230de731ad7.exe 25 PID 3316 wrote to memory of 4488 3316 070e3ff107ca0e216cc4c230de731ad7.exe 25 PID 3316 wrote to memory of 2584 3316 070e3ff107ca0e216cc4c230de731ad7.exe 27 PID 3316 wrote to memory of 2584 3316 070e3ff107ca0e216cc4c230de731ad7.exe 27 PID 3316 wrote to memory of 2584 3316 070e3ff107ca0e216cc4c230de731ad7.exe 27 PID 3316 wrote to memory of 3952 3316 070e3ff107ca0e216cc4c230de731ad7.exe 31 PID 3316 wrote to memory of 3952 3316 070e3ff107ca0e216cc4c230de731ad7.exe 31 PID 3316 wrote to memory of 3952 3316 070e3ff107ca0e216cc4c230de731ad7.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\070e3ff107ca0e216cc4c230de731ad7.exe"C:\Users\Admin\AppData\Local\Temp\070e3ff107ca0e216cc4c230de731ad7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC bios Get Version /FORMAT:textvaluelist.xsl2⤵PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\nsy43A2.tmp\7za.exe7za.exe e -y -p"62c4909d61d29db4db73faba6ad2ef9f" [RANDOM_STRING].7z2⤵PID:1368
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC csproduct Get Name /FORMAT:textvaluelist.xsl2⤵PID:3952
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC csproduct Get UUID /FORMAT:textvaluelist.xsl2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD5e0c373bf0f4cab9c2f372c636b43dfa3
SHA1d51778104bfb17ad7eb2b2e45306c86dc2c1d346
SHA2567eb80be289a8533a48aa21842f39f3445ab647d03110d4a247d9c7772a3ec105
SHA512542393b6b85a8bf657cc5ce28902c80949d8d5eee035ed7b0eec7ffb03db03ed306d6b62c9d8c3630bc5e6a5063b5d884f896420b0cd3c55f98cfb895940a474
-
Filesize
14KB
MD5a99eac529415ac2f522803306c26343e
SHA18cddb661b2d265cc95827e2020ba0ae4b708d6bc
SHA256b6937db7e68d36ebb6d7711b31975a15cc97403d2eddcece1a9e1fe5dc15f7e1
SHA512d0e63058154bd26cad1b976f366b43959c52dc4a5138418b668f8e8d6b898ece48e899d27fac53c5b52df407684c36736ddde415c023989f92aaa46e84e6bd9f
-
Filesize
121KB
MD562e00c02e8ac84b65a4629b8f6dc1658
SHA1e18abbd31c1021075db9bb22653aa460f1ff1e57
SHA256740ee9f04356316d6425638affc9cc7bf91e4ed6053c7a4ab5a0355ba344f48e
SHA5128b2862b0498716d8f8f0ef07606ae65c283bcf315ca43e312eb006ecfc1b8099a3c13bed1b18916e5e5ce8e13318d1a7a5196ed60729dcd91c1524d4b783c4ec
-
Filesize
62KB
MD58670feacd1ac034a60ef69148e0a6fe0
SHA1f80ca303aa2057454bc9a16d0c3d607cf2f21c61
SHA2561f25b16896bd1c415cb8e510114cc618852f91337d94983ce3d2ef490c1c0f0a
SHA512f6a4cbc82a73f056d18fc82666123b147adcfb174312a42066a2ec423b0616f5c2184cf1b5326f9cd448ef0d7a06dc4ed7e94b5f8b7d2f8eddd51275803fd813
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe