Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2024, 19:16
Static task
static1
Behavioral task
behavioral1
Sample
4efe3d8f510547ea9bc0eeb8c3cbca68.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4efe3d8f510547ea9bc0eeb8c3cbca68.exe
Resource
win10v2004-20231215-en
General
-
Target
4efe3d8f510547ea9bc0eeb8c3cbca68.exe
-
Size
367KB
-
MD5
4efe3d8f510547ea9bc0eeb8c3cbca68
-
SHA1
840b756f168503eb5936515f9b4b68e0d63b306d
-
SHA256
de54a5e0dec0660441f8043d39bcb4eb28ec296f3712d353b8d68fcba5e12cd8
-
SHA512
d6ddd1eb1acdfd7cc719019b6fc30959aeb55b6790075fc02cbc6936e87c317199dabdaf650b693d22583dffbfbc7af5d21da229d665fe40e1e198eaaa039b6e
-
SSDEEP
6144:GD+0Mb3W/sEZm6YTmfpUaY6vvYttf+NsB1OnCSntQ1FcO3MHludq:GD+Z6/swJYTwM6ntNsrOCSa1P3akc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5088 svchost -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3408 4efe3d8f510547ea9bc0eeb8c3cbca68.exe 5088 svchost -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\svchost 4efe3d8f510547ea9bc0eeb8c3cbca68.exe File opened for modification C:\Windows\svchost 4efe3d8f510547ea9bc0eeb8c3cbca68.exe File created C:\Windows\uninstal.bat 4efe3d8f510547ea9bc0eeb8c3cbca68.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3408 4efe3d8f510547ea9bc0eeb8c3cbca68.exe Token: SeDebugPrivilege 5088 svchost -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5088 svchost -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 5088 wrote to memory of 320 5088 svchost 92 PID 5088 wrote to memory of 320 5088 svchost 92 PID 3408 wrote to memory of 1556 3408 4efe3d8f510547ea9bc0eeb8c3cbca68.exe 94 PID 3408 wrote to memory of 1556 3408 4efe3d8f510547ea9bc0eeb8c3cbca68.exe 94 PID 3408 wrote to memory of 1556 3408 4efe3d8f510547ea9bc0eeb8c3cbca68.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\4efe3d8f510547ea9bc0eeb8c3cbca68.exe"C:\Users\Admin\AppData\Local\Temp\4efe3d8f510547ea9bc0eeb8c3cbca68.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat2⤵PID:1556
-
-
C:\Windows\svchostC:\Windows\svchost1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Program Files\Internet Explorer\IexplOrE.ExE"C:\Program Files\Internet Explorer\IexplOrE.ExE"2⤵PID:320
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
367KB
MD54efe3d8f510547ea9bc0eeb8c3cbca68
SHA1840b756f168503eb5936515f9b4b68e0d63b306d
SHA256de54a5e0dec0660441f8043d39bcb4eb28ec296f3712d353b8d68fcba5e12cd8
SHA512d6ddd1eb1acdfd7cc719019b6fc30959aeb55b6790075fc02cbc6936e87c317199dabdaf650b693d22583dffbfbc7af5d21da229d665fe40e1e198eaaa039b6e
-
Filesize
190B
MD55aaf6167bc444626a21e417f0316ae6f
SHA1e070c0c25b033b3600e993a00435dfb571e8789a
SHA256261d9aa36f6c2b04ceb0e863358e5d84c426e9b420ba6064bc227c1e8dbb886b
SHA5128bf464d6a618930c7db211b0574b53a75aa32b846afec94e7a2309581c2e0703f12c91d9316709291009409f9c50ea90ed0b31abf85a6d54a7e51f2462b2941c