Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 11:23
Behavioral task
behavioral1
Sample
4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe
Resource
win10v2004-20231222-en
General
-
Target
4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe
-
Size
536KB
-
MD5
50ca59b1337fd05ac7e4801d1f0615b4
-
SHA1
12a223fdf7fdbcfde6043c29b61df08c2381b607
-
SHA256
4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9
-
SHA512
3c3b9c28b8335ad4b25174c42bd83f0fc35de76da992f679f1364be72d7199eb34ce4368227399835c488674850dfde51ebb27ff53350d9259c9715039aa354f
-
SSDEEP
12288:rhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:rdQyDLzJTveuK0/Okx2LF
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4696-0-0x0000000000890000-0x0000000000992000-memory.dmp upx behavioral2/memory/4696-14-0x0000000000890000-0x0000000000992000-memory.dmp upx behavioral2/memory/4696-25-0x0000000000890000-0x0000000000992000-memory.dmp upx behavioral2/memory/4696-26-0x0000000000890000-0x0000000000992000-memory.dmp upx behavioral2/memory/4696-32-0x0000000000890000-0x0000000000992000-memory.dmp upx behavioral2/memory/4696-44-0x0000000000890000-0x0000000000992000-memory.dmp upx behavioral2/memory/4696-68-0x0000000000890000-0x0000000000992000-memory.dmp upx -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 223.5.5.5 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 223.5.5.5 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\5065b0 4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4696 4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe 4696 4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe 4696 4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe 4696 4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe 4696 4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe 4696 4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe 4696 4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe 4696 4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe 3420 Explorer.EXE 3420 Explorer.EXE 3420 Explorer.EXE 3420 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4696 4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe Token: SeTcbPrivilege 4696 4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe Token: SeDebugPrivilege 4696 4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe Token: SeDebugPrivilege 3420 Explorer.EXE Token: SeTcbPrivilege 3420 Explorer.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4696 wrote to memory of 3420 4696 4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe 76 PID 4696 wrote to memory of 3420 4696 4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe 76 PID 4696 wrote to memory of 3420 4696 4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe 76
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe"C:\Users\Admin\AppData\Local\Temp\4d094492b63588e1654d6a09d2a45dd6ed8173cfda8430f5ae075902863e9df9.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046
Filesize1KB
MD5a1f04d597102dcff7d4a7d15e7669f95
SHA10c2cb6fcc09da00eafe14ca5500b6da0b1c639a3
SHA2563fe2dd34fffba51db94882aa52161da94cd2648057ad19b68606221b59d9c42f
SHA512e0dca116d5b6d0d1c1899f34fc4187910daf9bc8b6583265861385e0d6d3237c1eb98eda2432d6993bf9f167425fea08f5a6c835d78508ca6412eb67ae82eb57
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E
Filesize938B
MD5c58ff9ddccba70f310043ed3be885d8a
SHA17bce851c92eacdd087b539e94313b4ed5c2dd92f
SHA256f411dc71a46c03518d5a74d9349712a0d369173d925a9bc2871d34f3bb2a3235
SHA5127b08e836d3a2d1e6ef82429c8634ea86ea6dc8bd041db387c10102ecd120f138872db3cdcbc5429261ce3e17e32402e336a9fd1dc2d0bbf41b6213a13ab3dc3f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046
Filesize502B
MD5a794bf4a852f1cbffc3cb78c84ed81c8
SHA1c04e7eddb80ab0b3c6e0fa36657ed0cc6f4ddc25
SHA2566cd5aab293de80be79c37ddca2e51ddb5c169ea7aeca22121a9fbb6752572f9a
SHA512a5c44993170f23fb2be440cf562e8b0f1d6436dff0ab3458cb9c1d9895e96ce9943bda864666462d51582ce88b3bdcc027af68cf35ff78147f3629a8d8279d01
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E
Filesize520B
MD526afb70b12bbcde81d7087e8c527e7ab
SHA16551c38ca2ce47c88e31a707e5f2390fc589f19b
SHA2565cdf774dec9eaa5d56d3172151f8750ea2fe241f10a6c10ab40ec8be4966ade6
SHA5126cc5d324ba717ddf0bb68002a1d48f3bed6980a35568c3ba82faa761051300505c10921898fb5b18aa643cc4cecd6acd622423e7777f5f0129a4e8374b2c3e8d