Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2024, 00:13
Static task
static1
Behavioral task
behavioral1
Sample
44cacd30f4f713101607e1f1f9021f7e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
44cacd30f4f713101607e1f1f9021f7e.exe
Resource
win10v2004-20231215-en
General
-
Target
44cacd30f4f713101607e1f1f9021f7e.exe
-
Size
270KB
-
MD5
44cacd30f4f713101607e1f1f9021f7e
-
SHA1
69ea3a95361a0e14910e1bdbd5f225aa8b88ab18
-
SHA256
46da2d2262661d1f632e86e478642f8e1eb5b5faa65ae34d9039e9ea9efdebaf
-
SHA512
a0e103589d18f53be34c468243492482840e37454e6e03ed085587469edbfd68089e1bf91659acff5287adbe22abc98e4bdb09d2e2664371e3cc0c2941a431b1
-
SSDEEP
6144:qMhBj6B6kP/KRvA9HmNR92bIjLxPTYra385tnDzeO+SsZPqXhEpJ3:jW6kPIA9mR9jXZkznXL+Cg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3000 Hacker.com.cn.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe 44cacd30f4f713101607e1f1f9021f7e.exe File opened for modification C:\Windows\Hacker.com.cn.exe 44cacd30f4f713101607e1f1f9021f7e.exe File created C:\Windows\uninstal.bat 44cacd30f4f713101607e1f1f9021f7e.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3168 44cacd30f4f713101607e1f1f9021f7e.exe Token: SeDebugPrivilege 3000 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3000 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3000 wrote to memory of 4024 3000 Hacker.com.cn.exe 93 PID 3000 wrote to memory of 4024 3000 Hacker.com.cn.exe 93 PID 3168 wrote to memory of 2716 3168 44cacd30f4f713101607e1f1f9021f7e.exe 95 PID 3168 wrote to memory of 2716 3168 44cacd30f4f713101607e1f1f9021f7e.exe 95 PID 3168 wrote to memory of 2716 3168 44cacd30f4f713101607e1f1f9021f7e.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\44cacd30f4f713101607e1f1f9021f7e.exe"C:\Users\Admin\AppData\Local\Temp\44cacd30f4f713101607e1f1f9021f7e.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat2⤵PID:2716
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:4024
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
270KB
MD544cacd30f4f713101607e1f1f9021f7e
SHA169ea3a95361a0e14910e1bdbd5f225aa8b88ab18
SHA25646da2d2262661d1f632e86e478642f8e1eb5b5faa65ae34d9039e9ea9efdebaf
SHA512a0e103589d18f53be34c468243492482840e37454e6e03ed085587469edbfd68089e1bf91659acff5287adbe22abc98e4bdb09d2e2664371e3cc0c2941a431b1
-
Filesize
190B
MD5c530a490a14a1aa59b72e78f10cc988a
SHA145e8932fb45b69c4b9d3c899b45bf11bbfb0973d
SHA256d455b65cb6bbed376c49f74e8af91798284a903831c839aca4bda146553c3f2d
SHA512b0490f01816b79d327c0a2d258ca19fa51a54112b7a9b8aaa347cdf84661041596e2604e501b0a8fae5c48d6fdbca2b11c5d3d1f69392bbf644f4f49e87173b4