Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2024, 16:16
Static task
static1
Behavioral task
behavioral1
Sample
592a8906d5d2f9f400c7bdacda767f99.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
592a8906d5d2f9f400c7bdacda767f99.exe
Resource
win10v2004-20231215-en
General
-
Target
592a8906d5d2f9f400c7bdacda767f99.exe
-
Size
164KB
-
MD5
592a8906d5d2f9f400c7bdacda767f99
-
SHA1
dc0ffc1b4fea0af06950e96fc7d4918c2141fb47
-
SHA256
5a236c258c34a031cdfeff9821f4d8c706ea1cacf70fe7dd4f06dcf7c13725da
-
SHA512
9379cd9e312afddf1b5b10947c92f2bfcbd936b4481885f64902ab9dcc3c45953c65b45f09d5c07640a6ea6991271d62c315d9d4e116ac0159ec580cec685e8a
-
SSDEEP
3072:98YFaqe9ZjBozEV+Rvq/nFBi14WOZJRHQCiTD8ukT1pB:9BEL9ZFooVcvS7iSpZ3H6D8ukT
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 688 svchest131642.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\:\Program Files\Common Files\svchest131642.exe = "C:\\Program Files\\Common Files\\svchest131642.exe" 592a8906d5d2f9f400c7bdacda767f99.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\svchest131642.exe 592a8906d5d2f9f400c7bdacda767f99.exe File created C:\Program Files\svchest.exe svchest131642.exe File created C:\Program Files\Common Files\svchest131642.exe 592a8906d5d2f9f400c7bdacda767f99.exe -
Kills process with taskkill 2 IoCs
pid Process 1064 taskkill.exe 3040 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe 688 svchest131642.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3040 taskkill.exe Token: SeDebugPrivilege 1064 taskkill.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5032 wrote to memory of 3040 5032 592a8906d5d2f9f400c7bdacda767f99.exe 42 PID 5032 wrote to memory of 3040 5032 592a8906d5d2f9f400c7bdacda767f99.exe 42 PID 5032 wrote to memory of 3040 5032 592a8906d5d2f9f400c7bdacda767f99.exe 42 PID 5032 wrote to memory of 688 5032 592a8906d5d2f9f400c7bdacda767f99.exe 56 PID 5032 wrote to memory of 688 5032 592a8906d5d2f9f400c7bdacda767f99.exe 56 PID 5032 wrote to memory of 688 5032 592a8906d5d2f9f400c7bdacda767f99.exe 56 PID 688 wrote to memory of 1064 688 svchest131642.exe 75 PID 688 wrote to memory of 1064 688 svchest131642.exe 75 PID 688 wrote to memory of 1064 688 svchest131642.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\592a8906d5d2f9f400c7bdacda767f99.exe"C:\Users\Admin\AppData\Local\Temp\592a8906d5d2f9f400c7bdacda767f99.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ksafetray.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Program Files\Common Files\svchest131642.exe"C:\Program Files\Common Files\svchest131642.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ksafetray.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
127KB
MD50a5850d165b9e20e6c2bc278cdf870c1
SHA109b8f7d48ab2252184bf58bb9419aef340faef7f
SHA2563263667af2c1acecff87d72cf4006f8814d084a74341825c5196df70158f9f6f
SHA5121422ee4ff61154e759c171c23e9b8e1f341e8a58f990f522c20681176291e745c4192469443acda9952d66c745738c3483d3bda05d5b67531975c9a0c04a1e8b
-
Filesize
82KB
MD5033328478c1c5b07189fcc26e04596fc
SHA13aa4a831a8eab91eb9de27ad24b1d4ebcd24ca78
SHA256252aba6305b89dd5049f6513806442fee29a090b651153345ff2e153a3022519
SHA51224883a06ca97e702c41a02c3aa60320d111c526fe4b970a022eb3472e1bf5dfe3f2419976f1e3e26fc44cbecbca404ab25d0cbb9ce6cd7e83e309f70e90c485e
-
Filesize
122B
MD5bf49b01c5875118eae50be155f57d56b
SHA1d1bda5fe15a1cae7bfeff69346dff875319656a2
SHA256861b9a824d3f6b4ca8fea46c97cf0fc243ce51ac4aa67f5432a479a822ad4592
SHA5123736bb76e2b280d6557b7508d88a895a28e7c83c2a56025c234ae93952b0a1548e7cb2091999bfd1d249107085ae60233e478628ec36d16ab6e54ee91fe50629