Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2024, 11:59
Behavioral task
behavioral1
Sample
e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe
Resource
win10v2004-20231222-en
General
-
Target
e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe
-
Size
536KB
-
MD5
f158c92926d7537a8de5dd6bd4f0d657
-
SHA1
30f2cdfea250945928151740933d00cf76cc9099
-
SHA256
e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9
-
SHA512
595e6bc883031c045b29d8a8968d13ee2c91f622fda49dd1ef54a9287cd534fea0a8c71db6530d12baf40bc9238adbf5671de28c35d4a928ff5640284ce622a1
-
SSDEEP
12288:Ghf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:GdQyDLzJTveuK0/Okx2LF
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/5060-0-0x0000000000960000-0x0000000000A62000-memory.dmp upx behavioral2/memory/5060-14-0x0000000000960000-0x0000000000A62000-memory.dmp upx behavioral2/memory/5060-25-0x0000000000960000-0x0000000000A62000-memory.dmp upx behavioral2/memory/5060-26-0x0000000000960000-0x0000000000A62000-memory.dmp upx behavioral2/memory/5060-28-0x0000000000960000-0x0000000000A62000-memory.dmp upx behavioral2/memory/5060-45-0x0000000000960000-0x0000000000A62000-memory.dmp upx behavioral2/memory/5060-63-0x0000000000960000-0x0000000000A62000-memory.dmp upx -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 223.5.5.5 Destination IP 223.5.5.5 Destination IP 114.114.114.114 Destination IP 114.114.114.114 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\56a108 e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 5060 e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe 5060 e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe 5060 e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe 5060 e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe 5060 e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe 5060 e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe 5060 e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe 5060 e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe 3408 Explorer.EXE 3408 Explorer.EXE 3408 Explorer.EXE 3408 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 5060 e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe Token: SeTcbPrivilege 5060 e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe Token: SeDebugPrivilege 5060 e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe Token: SeDebugPrivilege 3408 Explorer.EXE Token: SeTcbPrivilege 3408 Explorer.EXE Token: SeShutdownPrivilege 3408 Explorer.EXE Token: SeCreatePagefilePrivilege 3408 Explorer.EXE Token: SeShutdownPrivilege 3408 Explorer.EXE Token: SeCreatePagefilePrivilege 3408 Explorer.EXE Token: SeShutdownPrivilege 3408 Explorer.EXE Token: SeCreatePagefilePrivilege 3408 Explorer.EXE Token: SeShutdownPrivilege 3408 Explorer.EXE Token: SeCreatePagefilePrivilege 3408 Explorer.EXE Token: SeShutdownPrivilege 3408 Explorer.EXE Token: SeCreatePagefilePrivilege 3408 Explorer.EXE Token: SeShutdownPrivilege 3408 Explorer.EXE Token: SeCreatePagefilePrivilege 3408 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3408 Explorer.EXE 3408 Explorer.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5060 wrote to memory of 3408 5060 e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe 76 PID 5060 wrote to memory of 3408 5060 e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe 76 PID 5060 wrote to memory of 3408 5060 e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe 76
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe"C:\Users\Admin\AppData\Local\Temp\e847993bae4d88eb8fe01f72d671ad86375dbcf5eff788bdc360cd982ece62a9.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046
Filesize1KB
MD5a0de5bca35a5e89ffa483c5d5993dc45
SHA13475544812b6f84dc8cf28f87bf788b26e1f3638
SHA25615fabee3f4b7e11d37319624c19bb5852a4b537b59877eebf95f26df8b35fd7c
SHA512ab81f86c68d2eb230474335896e335344b62dba693dd99a724218e79348c55cbc4864d54d06d95f94239d9abb13404b2d19840861acd6afd4ce02aa2861422b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3
Filesize937B
MD56367d3a9d479080cadd998dc36a4ea77
SHA140b14e15578298cdf3915849aa82e51ec5a8d7de
SHA2564a040f65819bcc070399f709aa14d20c7e11644be54b3016c1d6d85d837b9cda
SHA5127a404a3e164b57748b8e64484268622c1dd5023d2921d3620470f280e5d307dacfc117f00ec7a234debe4a0ad54266e65cc71f8a945c84e2083821e74daed7e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046
Filesize502B
MD5761e2f3feb69a110b4e9bfe8ec1f6185
SHA1b919f9627030bf468b9211900f268a92ea12c338
SHA2565102a1bb26c7995f54df8727b242b4f5f079c5d53080fa7ca5202a792791a7d7
SHA512355b54d66eb5a343a1686de10d73f19748cc5419767cb7874fa760ddf29ea4f349f99007bdb99938a12d510ba7a0ba8cfec3000b6087ed66355a455be4203b1b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3
Filesize520B
MD5507903791ce7b046e5ba6debfd5ac4bd
SHA10d7a20336d306e13fa516ee31693c2cea27962f6
SHA25639e2c4f291e28ef8dc42868e909af95a973360b3433f1508290865346ce52d99
SHA512142645a5a0dd3d503b9d41a7eca811a7e1dc943282e50c95424efbe376a2f00db5b02a58437112fa5698c7421b898dedba8ba3b6acc16a63c4e03e5d7959e828