Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
161s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 05:52
Static task
static1
Behavioral task
behavioral1
Sample
2ab925e1b611041799e0eb3e123ff2c6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2ab925e1b611041799e0eb3e123ff2c6.exe
Resource
win10v2004-20231215-en
General
-
Target
2ab925e1b611041799e0eb3e123ff2c6.exe
-
Size
3.8MB
-
MD5
2ab925e1b611041799e0eb3e123ff2c6
-
SHA1
24828bee2c9f911a62dd07d085059436fcda7866
-
SHA256
105137f7201a737456f865513fbf14e64ac16facad90b4cb6c314ac765ea302f
-
SHA512
573e951cc2bb591c8529a70ba84a9e2c535c4d8e31b04bc31e7d81795e2ad404241b910344127535f616c5415c271a8166cbfc455df2a4e018110f568ef052b8
-
SSDEEP
98304:pqFbd9jWsKXaLj33cbC7p68b0GDaCoPTEt0NcQGojg:wFbd9jWPAjMbIbVDMTEtOclB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist 1 TTPs 5 IoCs
pid Process 3704 tasklist.exe 4964 tasklist.exe 1972 tasklist.exe 5048 tasklist.exe 4688 tasklist.exe -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 97 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 98 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 95 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1420 powershell.exe 1420 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1420 powershell.exe Token: SeDebugPrivilege 3704 tasklist.exe Token: SeDebugPrivilege 4964 tasklist.exe Token: SeDebugPrivilege 1972 tasklist.exe Token: SeDebugPrivilege 5048 tasklist.exe Token: SeDebugPrivilege 4688 tasklist.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2380 2196 2ab925e1b611041799e0eb3e123ff2c6.exe 91 PID 2196 wrote to memory of 2380 2196 2ab925e1b611041799e0eb3e123ff2c6.exe 91 PID 2196 wrote to memory of 2380 2196 2ab925e1b611041799e0eb3e123ff2c6.exe 91 PID 2380 wrote to memory of 1248 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp 94 PID 2380 wrote to memory of 1248 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp 94 PID 2380 wrote to memory of 1248 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp 94 PID 1248 wrote to memory of 1420 1248 cmd.exe 96 PID 1248 wrote to memory of 1420 1248 cmd.exe 96 PID 1248 wrote to memory of 1420 1248 cmd.exe 96 PID 2380 wrote to memory of 3516 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp 111 PID 2380 wrote to memory of 3516 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp 111 PID 2380 wrote to memory of 3516 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp 111 PID 3516 wrote to memory of 4484 3516 cmd.exe 113 PID 3516 wrote to memory of 4484 3516 cmd.exe 113 PID 3516 wrote to memory of 4484 3516 cmd.exe 113 PID 4484 wrote to memory of 3704 4484 cmd.exe 114 PID 4484 wrote to memory of 3704 4484 cmd.exe 114 PID 4484 wrote to memory of 3704 4484 cmd.exe 114 PID 2380 wrote to memory of 4156 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp 115 PID 2380 wrote to memory of 4156 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp 115 PID 2380 wrote to memory of 4156 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp 115 PID 4156 wrote to memory of 4440 4156 cmd.exe 117 PID 4156 wrote to memory of 4440 4156 cmd.exe 117 PID 4156 wrote to memory of 4440 4156 cmd.exe 117 PID 4440 wrote to memory of 4964 4440 cmd.exe 118 PID 4440 wrote to memory of 4964 4440 cmd.exe 118 PID 4440 wrote to memory of 4964 4440 cmd.exe 118 PID 2380 wrote to memory of 4556 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp 119 PID 2380 wrote to memory of 4556 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp 119 PID 2380 wrote to memory of 4556 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp 119 PID 4556 wrote to memory of 2356 4556 cmd.exe 121 PID 4556 wrote to memory of 2356 4556 cmd.exe 121 PID 4556 wrote to memory of 2356 4556 cmd.exe 121 PID 2356 wrote to memory of 1972 2356 cmd.exe 122 PID 2356 wrote to memory of 1972 2356 cmd.exe 122 PID 2356 wrote to memory of 1972 2356 cmd.exe 122 PID 2380 wrote to memory of 4804 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp 123 PID 2380 wrote to memory of 4804 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp 123 PID 2380 wrote to memory of 4804 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp 123 PID 4804 wrote to memory of 3120 4804 cmd.exe 125 PID 4804 wrote to memory of 3120 4804 cmd.exe 125 PID 4804 wrote to memory of 3120 4804 cmd.exe 125 PID 3120 wrote to memory of 5048 3120 cmd.exe 126 PID 3120 wrote to memory of 5048 3120 cmd.exe 126 PID 3120 wrote to memory of 5048 3120 cmd.exe 126 PID 2380 wrote to memory of 4528 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp 128 PID 2380 wrote to memory of 4528 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp 128 PID 2380 wrote to memory of 4528 2380 2ab925e1b611041799e0eb3e123ff2c6.tmp 128 PID 4528 wrote to memory of 2536 4528 cmd.exe 129 PID 4528 wrote to memory of 2536 4528 cmd.exe 129 PID 4528 wrote to memory of 2536 4528 cmd.exe 129 PID 2536 wrote to memory of 4688 2536 cmd.exe 130 PID 2536 wrote to memory of 4688 2536 cmd.exe 130 PID 2536 wrote to memory of 4688 2536 cmd.exe 130
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ab925e1b611041799e0eb3e123ff2c6.exe"C:\Users\Admin\AppData\Local\Temp\2ab925e1b611041799e0eb3e123ff2c6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\is-NL80R.tmp\2ab925e1b611041799e0eb3e123ff2c6.tmp"C:\Users\Admin\AppData\Local\Temp\is-NL80R.tmp\2ab925e1b611041799e0eb3e123ff2c6.tmp" /SL5="$601EA,3271290,56832,C:\Users\Admin\AppData\Local\Temp\2ab925e1b611041799e0eb3e123ff2c6.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-M6I28.tmp\ex.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV4⤵
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq newversion.exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3704
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV4⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV4⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Setup.exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV4⤵
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV4⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""3⤵PID:4152
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
128B
MD5dae8768bbb8a4fddc4dca8eae7c4d65f
SHA1385ffb932fcff489392536d62e291ed9e0beea98
SHA256ca1bf4fe8a59a31f06a4f2d975671fbb2eeca33d40b0c35318f2131a118754cf
SHA512492feada84b7064547bd6d22ed13cf6949156eb3daa9af5aa9c3da44dd6ac7e540904c494de14a7858d498944ab51c7525caac3c9aa933d1e55ca35442c075b6
-
Filesize
128B
MD56a745081c62a706c014a876f45b5a56b
SHA125f17fcc50dd202d2381c00970e2dc04c2ad9707
SHA256e9f9690b327cf24e6c260f93232dd4b961d82a709c16589ba72aabcdba0c039c
SHA512a420efa894ef6fedad4fafd5e15042f947ff96a169031b7299afeba797bcaefa675508f72f57bfa8452a35d61314a544e26bc535ddb61a0cdfdca03c07ae372f
-
Filesize
118B
MD5f0315949ccc3d22d958503f5735cfbcc
SHA1883bf4e366046eb1ef6e2d81fd74fe75ae73b2c0
SHA256201c4e665ce446e067cb152d1c3834e416f6a09a9e6d7c45c20f1bc1cc74534d
SHA512aa1faa44ba8f47052bf236d5135dc70f1293028663f4abbc7cc043277428217b047b25d6e6691c1685db52bd2065f0d5c4306d9db590696773c3becf2481a251
-
Filesize
126B
MD5110d64c0e450ff59542f81690a2d53b7
SHA17f2e989deb095a0530792989e5fa9d7279d5f3e7
SHA256735ca381b6d3cbb675e698aa92222566d5174c0fbdf7807605f105c512c9fa1e
SHA51200b86a1fd4db9e8861d3973a395c34b41a5a277901552b66ac671ced492638174f256785f563bfad263bc93315544bce87c91d26bd48a39fbab7daccceae0d34
-
Filesize
126B
MD58fec1ab28e8ee7394915990458fb85dc
SHA1c70e183a783a9621cd64584de99f8163deb40872
SHA256b96251154ddbfd11d36e74eae84537229912a54dcb86f1277deab084322ce4dd
SHA512c33223c094764b9704ced1ab6256aa227873c2be81acce328d12113504e55716563ad561641b726dcd2939c6237b4a4dad522512a4f59e3f805f91ffaf3a3be9
-
Filesize
1B
MD568b329da9893e34099c7d8ad5cb9c940
SHA1adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA25601ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09
-
Filesize
786B
MD5de1d518019c723049726577333a9bf30
SHA1097b2c40add6c1b18bb88984a25cf106fd2eb42b
SHA25654deadc32e0667cd931fc4de2c6eb4795375145f0b651bfc33323156a5a37191
SHA512104e3f2454dbf7b6cb1ecb8dfac1cc9598d110c8d7cfa24c4661019373ae5d80f08848572899debb1b9bfae645685275a88b9eae99b36f9a46678148ebdc6c4f
-
Filesize
691KB
MD59303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f