Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 01:23
Static task
static1
Behavioral task
behavioral1
Sample
641cd01e7405ae9fea7ab07cd90d7e92.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
641cd01e7405ae9fea7ab07cd90d7e92.exe
Resource
win10v2004-20231215-en
General
-
Target
641cd01e7405ae9fea7ab07cd90d7e92.exe
-
Size
593KB
-
MD5
641cd01e7405ae9fea7ab07cd90d7e92
-
SHA1
3eb0d97da4b62692ceca9ea7045ed3cc8356ecdf
-
SHA256
67ede6407855ec22985a843b52f5d5ad8169aafc396606f742029bf05d10233f
-
SHA512
b4d77a5d7c86b6c59cb704e2258d6acd7711b60f6b06d64b78ba4fd8cbe4e3c4a6c60ea92130490f5ee1b25cc5f587bce0e93ba12be6782653e1e784d07ea33b
-
SSDEEP
12288:xH6kPIA9mR9jXZkTMxRACxFF3Z4mxxtRvz2JG0/BY:xHNB9mRRpk4xWCHQmXtgJG0/G
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3332 Hacker.com.cn.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe 641cd01e7405ae9fea7ab07cd90d7e92.exe File opened for modification C:\Windows\Hacker.com.cn.exe 641cd01e7405ae9fea7ab07cd90d7e92.exe File created C:\Windows\uninstal.bat 641cd01e7405ae9fea7ab07cd90d7e92.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 384 641cd01e7405ae9fea7ab07cd90d7e92.exe Token: SeDebugPrivilege 3332 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3332 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3332 wrote to memory of 4304 3332 Hacker.com.cn.exe 91 PID 3332 wrote to memory of 4304 3332 Hacker.com.cn.exe 91 PID 384 wrote to memory of 3664 384 641cd01e7405ae9fea7ab07cd90d7e92.exe 95 PID 384 wrote to memory of 3664 384 641cd01e7405ae9fea7ab07cd90d7e92.exe 95 PID 384 wrote to memory of 3664 384 641cd01e7405ae9fea7ab07cd90d7e92.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\641cd01e7405ae9fea7ab07cd90d7e92.exe"C:\Users\Admin\AppData\Local\Temp\641cd01e7405ae9fea7ab07cd90d7e92.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat2⤵PID:3664
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:4304
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
329KB
MD51d0a9b94de8639bdc72ce55b7a53644e
SHA15552540ef5f5e0b1762e5bcec4faa678e8363ebb
SHA2561e00c2c5c3956a61c1ed7725adbd8d144d95c5366c4586861647e3d7ec691b07
SHA5127c25c6986da3bc6f4de64bd263b48be363a632c624c9174cd70832fa2ecf1a3f0a024de12413fb40ae9ffb1155b1b35225c9a8a793135c001fbe3fb732e4c3b1
-
Filesize
338KB
MD589b9f783f24e45f7d27859c06b43a420
SHA12e75d5afa52fdabb340890a21f650a544375713d
SHA2566b98b2ffaa9778886cf9faec1debaac4ae913ed5da41854dda8016372a7d4107
SHA512b5e0c2a0c17ce48d5d36b9297a3ad90ca026488ea74a38d3c663f50669eef8d195e5257680eec615d097c7152a9c7869e1d6decc620f984f3460323ad17a3cf6
-
Filesize
190B
MD509cc8a879facab99fcec5aab71cac9b5
SHA11296068e439a723274cc816a81f5af47c1987401
SHA2566640aa359a1049ceda71efb7db48842866f1a9199128f37e17e16fc840ccffba
SHA512e99ff744bef58f2d0b0403e335c7d917cf7eedda6c8b5e39483b67410a84247c6440f9e3621c8bf31e958b1e457310032c674b58382667fc59545695f4b94058