Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 23:07
Static task
static1
Behavioral task
behavioral1
Sample
1f734d29cf2993ec66e579ca90cb003c.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1f734d29cf2993ec66e579ca90cb003c.exe
Resource
win10v2004-20231222-en
General
-
Target
1f734d29cf2993ec66e579ca90cb003c.exe
-
Size
24KB
-
MD5
1f734d29cf2993ec66e579ca90cb003c
-
SHA1
d3cd997815e53b646e72a71889ef757220e318f5
-
SHA256
10c40ca72f76a46fe1854c35d663fe86fe3b8b835f8689362cc269d6305a1a2f
-
SHA512
fdae6b463c8156039ff1d8b3f364757c1375537e6d37582fc26e261c69147a219ac5a18711c3bb997bf377847b874363543e439af7d77f49c9a6544c6b3c2b49
-
SSDEEP
384:E3eVES+/xwGkRKJVPlM61qmTTMVF9/q5Z0:bGS+ZfbJVPO8qYoAm
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" 1f734d29cf2993ec66e579ca90cb003c.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe 1f734d29cf2993ec66e579ca90cb003c.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1464 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 4936 NETSTAT.EXE 5076 ipconfig.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1464 tasklist.exe Token: SeDebugPrivilege 4936 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4920 1f734d29cf2993ec66e579ca90cb003c.exe 4920 1f734d29cf2993ec66e579ca90cb003c.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4920 wrote to memory of 4584 4920 1f734d29cf2993ec66e579ca90cb003c.exe 29 PID 4920 wrote to memory of 4584 4920 1f734d29cf2993ec66e579ca90cb003c.exe 29 PID 4920 wrote to memory of 4584 4920 1f734d29cf2993ec66e579ca90cb003c.exe 29 PID 4584 wrote to memory of 920 4584 cmd.exe 19 PID 4584 wrote to memory of 920 4584 cmd.exe 19 PID 4584 wrote to memory of 920 4584 cmd.exe 19 PID 4584 wrote to memory of 5076 4584 cmd.exe 20 PID 4584 wrote to memory of 5076 4584 cmd.exe 20 PID 4584 wrote to memory of 5076 4584 cmd.exe 20 PID 4584 wrote to memory of 1464 4584 cmd.exe 21 PID 4584 wrote to memory of 1464 4584 cmd.exe 21 PID 4584 wrote to memory of 1464 4584 cmd.exe 21 PID 4584 wrote to memory of 4356 4584 cmd.exe 25 PID 4584 wrote to memory of 4356 4584 cmd.exe 25 PID 4584 wrote to memory of 4356 4584 cmd.exe 25 PID 4356 wrote to memory of 3500 4356 net.exe 28 PID 4356 wrote to memory of 3500 4356 net.exe 28 PID 4356 wrote to memory of 3500 4356 net.exe 28 PID 4584 wrote to memory of 4936 4584 cmd.exe 26 PID 4584 wrote to memory of 4936 4584 cmd.exe 26 PID 4584 wrote to memory of 4936 4584 cmd.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f734d29cf2993ec66e579ca90cb003c.exe"C:\Users\Admin\AppData\Local\Temp\1f734d29cf2993ec66e579ca90cb003c.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:4584
-
-
C:\Windows\SysWOW64\cmd.execmd /c set1⤵PID:920
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all1⤵
- Gathers network information
PID:5076
-
C:\Windows\SysWOW64\tasklist.exetasklist1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
C:\Windows\SysWOW64\net.exenet start1⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start2⤵PID:3500
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an1⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5c27ee32fc9095278fee335a5b331d6d0
SHA1130b5a6bb611a8243af84df0de6612395963ba3b
SHA256ac40d58791f8d8d6bb4c3c2ea12387a183aa7add155194a78f785f58b7d2fe51
SHA512958a811c6260903b1d1af4e06f64eadac2753c73e2a7da418f5505037ed0ea229104c889102f546543f9601fe61c312dea6b2ba63449608608aa19a87d3a71ff