Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    199s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2023, 07:33

General

  • Target

    70472aa587951ff40c598b3daa4aff1897ef9ece58662e946f42fa2d31650306.exe

  • Size

    3.1MB

  • MD5

    056ff71fcb650295de4af466938f602c

  • SHA1

    37b774f9240b2e857105cf34d27fd39d59667528

  • SHA256

    70472aa587951ff40c598b3daa4aff1897ef9ece58662e946f42fa2d31650306

  • SHA512

    84f9d2f1c9c3f10f89709babbc197ca66e3a9d0c4703723fab86e4f5e78de7bf69ddddf08b3ddb098dad67a21de4d03ac32a4b97d63cc62c57bf688fe00391a0

  • SSDEEP

    49152:E3WKw+1y/8nlKh5jZg/7DaxAfovAF6RKcCx+29uWV9D489MM7rbI:ED1yWliUDmAAvAF6RKj91PM+y

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70472aa587951ff40c598b3daa4aff1897ef9ece58662e946f42fa2d31650306.exe
    "C:\Users\Admin\AppData\Local\Temp\70472aa587951ff40c598b3daa4aff1897ef9ece58662e946f42fa2d31650306.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3464
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4512
      • C:\Windows\SysWOW64\taskkill.exe
        TASKKILL /F /PID 3464
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4900
      • C:\Users\Admin\AppData\Local\Temp\NSUDOLC.exe
        NSUDOLC /U:S /P:E C:\Users\Admin\AppData\Local\Temp\70472aa587951ff40c598b3daa4aff1897ef9ece58662e946f42fa2d31650306.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NSUDOLC.exe

    Filesize

    99KB

    MD5

    0ac3e9d59309f599403ac51615bfe41b

    SHA1

    9041c5562558cb58ac98bd18de3c0ce370a59e1f

    SHA256

    6d5e116c2af78b5585602d91bca3a436a0350630fc7c08412c0cafe55199547c

    SHA512

    e5de92202f4d3ecaff8bd65c99cbbc98c2deaafafe1620be7169d0fed467bfa11ce727fa78f686166758ee3df0b040a2643dbd5a46ee74cc679e647ebdad6910

  • C:\Users\Admin\AppData\Local\Temp\temp.bat

    Filesize

    145B

    MD5

    9600dc06a07682de1a268554f4383f7a

    SHA1

    72516c73d935b4389497de5fed103d142b5e1595

    SHA256

    e616d9ac1ed382632b893a38cb57c4adca035273b80d039873b285e7a65fce38

    SHA512

    9582b704e42685532f2cf621b4028d5d90587272efa425551fd75692388f91eb7b699bf8312ca4ae78fd2faed16077fb1ebc5bbc5c3583379ba7a873bae19b7c

  • memory/3464-0-0x0000000000400000-0x000000000076D000-memory.dmp

    Filesize

    3.4MB

  • memory/3464-7-0x0000000000400000-0x000000000076D000-memory.dmp

    Filesize

    3.4MB