Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 12:58
Static task
static1
Behavioral task
behavioral1
Sample
656eb12e066611facea04c07829c6463.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
656eb12e066611facea04c07829c6463.exe
Resource
win10v2004-20231222-en
General
-
Target
656eb12e066611facea04c07829c6463.exe
-
Size
1.6MB
-
MD5
656eb12e066611facea04c07829c6463
-
SHA1
081f1246067d9357dc14746d9f485ab6ccefe3e4
-
SHA256
dd0b856cfae3e47857fd9b02e8704fb47b2cc7d7b5419709bffc3ae1f9fd3e33
-
SHA512
f8a150df2f3393f899d0ed9fadf2447cb6d5a5182fd02f347ac165dbb23143d011c1e2ef78d010955d80ef62dfb062e95e308a658d86bab688bd8f175f115a3c
-
SSDEEP
49152:j2fp/YXq3wH+WpBaR7CRqrTJX7jExnDe7G/aQ:Kfp/Oq3wRpgFrV/Exq76
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1904 Stp4B70_TMP.EXE 5012 Stp4B70_TMP.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 3656 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1964 wrote to memory of 1904 1964 656eb12e066611facea04c07829c6463.exe 89 PID 1964 wrote to memory of 1904 1964 656eb12e066611facea04c07829c6463.exe 89 PID 1964 wrote to memory of 1904 1964 656eb12e066611facea04c07829c6463.exe 89 PID 1904 wrote to memory of 5012 1904 Stp4B70_TMP.EXE 90 PID 1904 wrote to memory of 5012 1904 Stp4B70_TMP.EXE 90 PID 1904 wrote to memory of 5012 1904 Stp4B70_TMP.EXE 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\656eb12e066611facea04c07829c6463.exe"C:\Users\Admin\AppData\Local\Temp\656eb12e066611facea04c07829c6463.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\Stp4B70_TMP.EXE"C:\Users\Admin\AppData\Local\Temp\Stp4B70_TMP.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\is-Q6LC5.tmp\Stp4B70_TMP.tmp"C:\Users\Admin\AppData\Local\Temp\is-Q6LC5.tmp\Stp4B70_TMP.tmp" /SL5="$401E2,1335752,53248,C:\Users\Admin\AppData\Local\Temp\Stp4B70_TMP.EXE"3⤵
- Executes dropped EXE
PID:5012
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:756
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396KB
MD52ee8803ef421850dfebf83ff04b916d3
SHA18c6cea0f477ee6024648b1427ed62e941a62605d
SHA256521074200b80d9cd8cc196a809ec6e2a1b9d9748c2df9bc5da3dbeb785bbd366
SHA512d5da440ea624ccc686fdd9bf951453c8f543b5de53ebcc0b4095ce9476f17d5c16bc9352337ccb1b6f3ed3e71f0b62805d2d6cf3966e8f16268bc10022e7ba52
-
Filesize
379KB
MD563dea55ab1e6ab5fbb33d3b1c4331c20
SHA1a93ee54f23c83db546bbf81d6b4e0888624a9f0b
SHA2565c3b7c350b6d851206f5329df8c6a08ef07202e2a8c9025abbca14c926bed061
SHA512cddf99125e1ff846bf41b0c0c137714773ae665bf947fb4e5e313a63aad35d93866a8fa2fd77dd53af82e3ce888acab9a130e25fea8f17fa9ff924d6b4fdb54f
-
Filesize
510KB
MD5966515ef6229739f8e2ddd4df01ed33e
SHA157044f315cfe15c27c5df29435f77309a69db383
SHA2564646bef319c512472c3260a1a1c8bc9cb58391741bb6901c9cb3462063feee2d
SHA51295b778f1eceac840074af6434e10880f037902d50d9aa88f9a4fbeea580d1bbeabac364ec4669f0488f53f0fd74a441837a2d126b67814231c903c15a330e647
-
Filesize
568KB
MD54da4aa4324390073cd22424e4c9341dc
SHA18f891c77fbfb4b7a8b6195d62f50fb2078a73ab0
SHA2562841d17f76a9649669f929a69ac57057fcee625fb8d3fc33cd7177dd31784ce5
SHA5128734a94de9f0d46c64f0092f6e4ca1cc57453787ffefc45d2dcc7fca73bf5416a39a34a94ad64e739e70056ed451490e7e71c855c10b7a7eff49793450e02d4a