Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
2s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 11:40
Behavioral task
behavioral1
Sample
d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
Resource
win10v2004-20231215-en
General
-
Target
d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe
-
Size
536KB
-
MD5
72c4cff05ed8d2efcdeda6b6be956984
-
SHA1
3d316a33ddb97e229684bbcd5cb797715fd82479
-
SHA256
d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969
-
SHA512
e8266d3dbcd5184f33ae7aec45f490849ad658bf5d12c9bd5fc1114fd9f0164626f559aade3a5d22c2a2a375fb8152a0263b1f5eef593d2a524267abf2ea0083
-
SSDEEP
12288:Jhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:JdQyDL9xp/BGA1RkmOkx2LF
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3448-0-0x0000000000970000-0x0000000000A72000-memory.dmp upx behavioral2/memory/3448-14-0x0000000000970000-0x0000000000A72000-memory.dmp upx behavioral2/memory/3448-25-0x0000000000970000-0x0000000000A72000-memory.dmp upx behavioral2/memory/3448-26-0x0000000000970000-0x0000000000A72000-memory.dmp upx behavioral2/memory/3448-27-0x0000000000970000-0x0000000000A72000-memory.dmp upx behavioral2/memory/3448-30-0x0000000000970000-0x0000000000A72000-memory.dmp upx behavioral2/memory/3448-37-0x0000000000970000-0x0000000000A72000-memory.dmp upx behavioral2/memory/3448-47-0x0000000000970000-0x0000000000A72000-memory.dmp upx -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 223.5.5.5 Destination IP 114.114.114.114 Destination IP 223.5.5.5 Destination IP 114.114.114.114 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\3b07f0 d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3448 d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe 3448 d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe 3448 d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe 3448 d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe 3448 d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe 3448 d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe 3448 d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe 3448 d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe 3356 Explorer.EXE 3356 Explorer.EXE 3356 Explorer.EXE 3356 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3448 d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe Token: SeTcbPrivilege 3448 d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe Token: SeDebugPrivilege 3448 d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe Token: SeDebugPrivilege 3356 Explorer.EXE Token: SeTcbPrivilege 3356 Explorer.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3448 wrote to memory of 3356 3448 d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe 48 PID 3448 wrote to memory of 3356 3448 d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe 48 PID 3448 wrote to memory of 3356 3448 d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe"C:\Users\Admin\AppData\Local\Temp\d5d849be391b41bfe336ece408eafc17733090a4f530c223001b92d6ae5ca969.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046
Filesize442B
MD517f2f2918c656deb42649f369428d9ad
SHA1588c2f4a1a8bd2b8aa7d4411743bca82f2a224ae
SHA2561f2884706bb35c41edc5a6ca9e9f3f8f5f7409d812e857983bcdcbce94b39984
SHA512d2de8ecad685e4130259fca54a9018ff0cebd5e0492b4b00afc648432638320c88b9bfd26aff6a653ec653cbe14f841c18b64efc14f595993df7166364bee017
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046
Filesize502B
MD5b749590af291186718979e08e85dbc8e
SHA1f2727c80e032526849b428e5e81289b75897f57e
SHA2569f1c789841c18a8f900e05f4cb03f424d2cdf87467d746ad2c3ab7fb2cfb045c
SHA5128e276fb02780384226bae0b51ecc3113ced24dbdb03576e6b559a22821a71f54c897809719fb52e81a75f64ae923cfbc791dbe8fc083289affa8f3a18e0de5ad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E
Filesize520B
MD518de9d80abd30ac7feca3d7eba8a61a5
SHA1e31226fc37dca760861e3f5f6528c0eb38dc022c
SHA256af5548c07767d2bf8f39f97f8ea216abe44491cdadd8d430e5d3d026950a791b
SHA512cab398d025cf09b8c93be5adfffa078713e01804e2b806f8eedc25af43a56d906bb4eafd96b11db91c59d52b0e00cd48af37b6bf8de0744b8628f56d3e2e9a54