Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2024, 11:48
Static task
static1
Behavioral task
behavioral1
Sample
4b59ccef06a4d735a324887774ce8283.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4b59ccef06a4d735a324887774ce8283.exe
Resource
win10v2004-20231215-en
General
-
Target
4b59ccef06a4d735a324887774ce8283.exe
-
Size
248KB
-
MD5
4b59ccef06a4d735a324887774ce8283
-
SHA1
978433ac794d467b20ac40ed883ec823cb539fef
-
SHA256
fb56cd80023ce5cbe90f28ac4d958ba7d6b1fcc57472deb2c5d8fbbdff849e55
-
SHA512
e96c09972228ca7843265ab627447dd1c299f05fd7e99dfbbf06615c9fbe0122ba2f3ceafa742aa7a0509b3e55e8348127e1688b6c54dace2e574cce758315b9
-
SSDEEP
1536:aaysf2WiMJbdIhmEAu3ryPwiIuSnGt4TmT:a7sf2oG9dfKT
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 1132 dw20.exe Token: SeBackupPrivilege 1132 dw20.exe Token: SeBackupPrivilege 1132 dw20.exe Token: SeBackupPrivilege 1132 dw20.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4180 wrote to memory of 1132 4180 4b59ccef06a4d735a324887774ce8283.exe 91 PID 4180 wrote to memory of 1132 4180 4b59ccef06a4d735a324887774ce8283.exe 91 PID 4180 wrote to memory of 1132 4180 4b59ccef06a4d735a324887774ce8283.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b59ccef06a4d735a324887774ce8283.exe"C:\Users\Admin\AppData\Local\Temp\4b59ccef06a4d735a324887774ce8283.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8682⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1132
-