Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/01/2024, 03:46

General

  • Target

    5c0dd9bdca98af3d296496f07a3d8cd5.exe

  • Size

    606KB

  • MD5

    5c0dd9bdca98af3d296496f07a3d8cd5

  • SHA1

    4c1967fbd36d4b6f85965d418ef331713ed8c126

  • SHA256

    8ed3425a9032e3bf6af2f8f99812aecb98266d7946d04c9e14c2065c175171a6

  • SHA512

    7851bbe09cdb174575e63e3e97cc4fecbfaa85fc5ef667979d7fa785684ec1decf3cb3614e2ae2527a3f0410f919daba368a8db89a80eeb2c45cb0fddd06ecfd

  • SSDEEP

    12288:8aOuKf6/agO+Xuc6G1ZRqLFuVOohOMDXasrXCckE3G:8ag5+Xj1nqcLDXa2CvEW

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe
    "C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4620
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe
        "C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3312
        • \??\c:\a6b349ebddab1e316c392d548ed70c\update\update.exe
          c:\a6b349ebddab1e316c392d548ed70c\update\update.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:4956
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:5060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe

    Filesize

    544KB

    MD5

    dd723698f56877704ba8184f36548293

    SHA1

    3fe89f986063f8ff23c1895f086e5769ac48a12f

    SHA256

    c99a8a682a36307ce727a4bd77a708033791774f28c89136d9f3abeff9632957

    SHA512

    b674c240ab2aec233d76a8ea62435ebbb9f8386b5ee85fc1213d770a6880c607952b7d4d7874ca1c14542740a5d1ea50c80094b6ae3a6fac05e52c85ccec9eb8

  • C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe

    Filesize

    571KB

    MD5

    77e0acbf3c2898956b4b3172d2d8e1d8

    SHA1

    d89f773b5cad5ffaf41bb1975451e0eebe800d50

    SHA256

    e3b51ebf4b5fe29c9b1d99c53f2724ff50c41841152ead93beabf1ec494a865d

    SHA512

    e41633927ee3ad242cd24456f49c2af4210dfb7da61c3a64d552c66b6643c41a75af0edbe8ad8fde208db32e0cd85a0b4671c45045d6fa8c24af7dac449a968f

  • C:\Windows\svchost.exe

    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

  • C:\a6b349ebddab1e316c392d548ed70c\update\update.exe

    Filesize

    615KB

    MD5

    59bb3bf43d1cbef1287186d5a00e04a5

    SHA1

    f09950a598e19210e9c1a9cb6b04a4462e286db0

    SHA256

    df2ca8e25498ce9d36da642168e44333ceae620029db4c93b4a30021988ac7bd

    SHA512

    b6fffb4245c4f43b2578ff65e43691a572644af4c1740f59b53ee85bcd3477b18b7c951d558c46c3fb5161e1a21b49efc48eff5e7e69d33d3296a276b5b99f04

  • \??\c:\a6b349ebddab1e316c392d548ed70c\Update\HDAUpdate_Srv2k3.inf

    Filesize

    6KB

    MD5

    f63ea3dc2d0b3caa958ec933e29dcaab

    SHA1

    37673e1944ca3d088fc66deca93eaf7fdbe31c8f

    SHA256

    11ea895544bc0917865b3e84de69bdcb353fc80eeed0de7588feb71ada6f7bdd

    SHA512

    0ad1601f7c69cf73cc09d5a3aeb64ecfd164295a94e655ee6df1bbcf56a7076b79790d9346522b2d4ace720bd17cfa5beffb8a53dc71d0467c3d67a368d98c0b

  • \??\c:\a6b349ebddab1e316c392d548ed70c\update\update.exe

    Filesize

    544KB

    MD5

    6c5b2ee20e8c9bae26d30595056d0bd7

    SHA1

    f0b514c9beb3fb94b8928dae1b9b7f8e59b40fef

    SHA256

    2be6c9398e33d9a0ce4d1da9f3437d5ef4f71515bbb21a2a3c8ab075ad886f8d

    SHA512

    084eea524e393761114fa811a08b2d440eef0b1882312c3891dcd3abc5c35844db457be02ff5ae9cb1d8b4ded0096d31ea72befbc198e11b03d93e5bc695874a

  • \??\c:\a6b349ebddab1e316c392d548ed70c\update\updatebr.inf

    Filesize

    387B

    MD5

    05ffc8f5b730218b7348db3c5ea6e8ed

    SHA1

    96383215f5d7688e20e3e996015d0b87c962595c

    SHA256

    fb35807db481a00babb273cf723e595ec2cd1ffb4f8f182d00bf973269d8e724

    SHA512

    1093e07b4281d1c17ba239bb06abbe3b11513f9066bb37909d850fdf775b85be178ea14a6a622d42afb6fe3307e7862c4a3dd7a37249e491a14c44b283c30b1a

  • memory/1280-11-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/5060-57-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB