Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 12:11
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20231222-en
General
-
Target
tmp.exe
-
Size
535KB
-
MD5
0af0403435aa81cb0066833a493bb2bd
-
SHA1
bbe32b64576652959d511ebb91ab8078a2481c0f
-
SHA256
4419415dffa5c427d65cf8d0367d07303c5d932823fdf6c62f60929d6d35eb72
-
SHA512
2f6c68d72451ecb620382f4c6f36a508fb4b2e24faf96e6698dd63c0bb68ac64140cba49a991b1df36c53982eca7ccd7230a6add97a990d2ab94a60a579707bc
-
SSDEEP
12288:Oz/mbW5bWKISUKyDXlzeJSBjpfMkwwfwD52n:+ubW5bWKIFLX5ewC52n
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2544 tmp.exe 2544 tmp.exe 5076 powershell.exe 5076 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2544 tmp.exe Token: SeDebugPrivilege 5076 powershell.exe Token: SeManageVolumePrivilege 4580 svchost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2544 wrote to memory of 5076 2544 tmp.exe 42 PID 2544 wrote to memory of 5076 2544 tmp.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:1324
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
169B
MD5f260d997847031123b867315e786a3d6
SHA1615bbfa05aa7eb9ae9fe02ebf757265d76a08a5a
SHA25626c9afc6ec388c82deb202d2fdb8851eb5a1f8c612d134f7d930ddc78f59a60b
SHA512a8fc78cd1d98dba42710bb2fc4a6678957dc0d90c9d7b3a6856b0c4ed833b49cd720e4cc8991a37fbcff0a79beb2254bbbbdf3a513c9a1e153d47f837c94e579