Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 06:50
Behavioral task
behavioral1
Sample
1175544db87b63303f1f6e394ba6fd46.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1175544db87b63303f1f6e394ba6fd46.exe
Resource
win10v2004-20231215-en
General
-
Target
1175544db87b63303f1f6e394ba6fd46.exe
-
Size
31KB
-
MD5
1175544db87b63303f1f6e394ba6fd46
-
SHA1
3e58b4dccfe8aa4b67b3e3e356273067267bab3d
-
SHA256
a01f816685647191a3be7995cf24752c64af700c4bb08f1b0e500e5e8bf9a0d5
-
SHA512
1185c0cba7e6d77387d37fcf5f993818bbb49101ff8e7314bc13fbdf8a1dd44041ee9f6d5630d22c665315f130a4a29e5d3672fcc6114e895fa551e8b5b36f32
-
SSDEEP
768:RfeSXJ1TnWX2ZeAf+ZCbZ+V52LoeZBy9QHxnSBw/44N:RfVnWmo7obc2UeZ1RnTP
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32sp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\11 = "win32sp.exe" win32sp.exe -
resource yara_rule behavioral2/files/0x000300000001e7dc-3.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 4164 win32sp.exe -
resource yara_rule behavioral2/memory/368-0-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/memory/368-4-0x0000000000400000-0x0000000000417000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\win32sp.dll 1175544db87b63303f1f6e394ba6fd46.exe File created C:\Windows\SysWOW64\win32sp.exe 1175544db87b63303f1f6e394ba6fd46.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4164 win32sp.exe 4164 win32sp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4164 win32sp.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 368 wrote to memory of 4164 368 1175544db87b63303f1f6e394ba6fd46.exe 92 PID 368 wrote to memory of 4164 368 1175544db87b63303f1f6e394ba6fd46.exe 92 PID 368 wrote to memory of 4164 368 1175544db87b63303f1f6e394ba6fd46.exe 92 PID 4164 wrote to memory of 680 4164 win32sp.exe 4
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\1175544db87b63303f1f6e394ba6fd46.exe"C:\Users\Admin\AppData\Local\Temp\1175544db87b63303f1f6e394ba6fd46.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\win32sp.exeC:\Windows\system32\win32sp.exe2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5d83815368c90aad76f1bec27b9724509
SHA171caf9a23f2dd5f9cdc43e6f2f691a15adf244c0
SHA256d0c33c64a0a0482b32da31af98536fd1683f8f93facf3257d50fb52a2c2ebede
SHA512f1495a2b858ca67148949007eaae8c7151693447279d31b7804857a970c528f2ba39f09f1d3f2b11205596b88e7c91615150e554870929c204a5ba44795dbfce