Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2024, 13:55
Static task
static1
Behavioral task
behavioral1
Sample
74dd30781f439b8ba87ff15e38e9feb7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
74dd30781f439b8ba87ff15e38e9feb7.exe
Resource
win10v2004-20231215-en
General
-
Target
74dd30781f439b8ba87ff15e38e9feb7.exe
-
Size
24KB
-
MD5
74dd30781f439b8ba87ff15e38e9feb7
-
SHA1
69d0dfcab05663214b00cb4584493ac72a78a790
-
SHA256
64b586b3c1ad5ef4fb644178403d06a277ea7725dc989fe8f880068f801b0ab3
-
SHA512
b08910166d12f0d5d3327e37e877e23c5484a494c4d296a0f1210ac3e980022d3c672a476cd7b7081c6c481a080961cd58955c11e8e2bcbdc5ad7af5622d9864
-
SSDEEP
384:E3eVES+/xwGkRKJnJtlM61qmTTMVF9/q5f0:bGS+ZfbJnO8qYoAc
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" 74dd30781f439b8ba87ff15e38e9feb7.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe 74dd30781f439b8ba87ff15e38e9feb7.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1164 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2816 ipconfig.exe 4468 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1164 tasklist.exe Token: SeDebugPrivilege 4468 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3600 74dd30781f439b8ba87ff15e38e9feb7.exe 3600 74dd30781f439b8ba87ff15e38e9feb7.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3600 wrote to memory of 3148 3600 74dd30781f439b8ba87ff15e38e9feb7.exe 85 PID 3600 wrote to memory of 3148 3600 74dd30781f439b8ba87ff15e38e9feb7.exe 85 PID 3600 wrote to memory of 3148 3600 74dd30781f439b8ba87ff15e38e9feb7.exe 85 PID 3148 wrote to memory of 4648 3148 cmd.exe 87 PID 3148 wrote to memory of 4648 3148 cmd.exe 87 PID 3148 wrote to memory of 4648 3148 cmd.exe 87 PID 3148 wrote to memory of 2816 3148 cmd.exe 89 PID 3148 wrote to memory of 2816 3148 cmd.exe 89 PID 3148 wrote to memory of 2816 3148 cmd.exe 89 PID 3148 wrote to memory of 1164 3148 cmd.exe 90 PID 3148 wrote to memory of 1164 3148 cmd.exe 90 PID 3148 wrote to memory of 1164 3148 cmd.exe 90 PID 3148 wrote to memory of 2084 3148 cmd.exe 94 PID 3148 wrote to memory of 2084 3148 cmd.exe 94 PID 3148 wrote to memory of 2084 3148 cmd.exe 94 PID 2084 wrote to memory of 1604 2084 net.exe 95 PID 2084 wrote to memory of 1604 2084 net.exe 95 PID 2084 wrote to memory of 1604 2084 net.exe 95 PID 3148 wrote to memory of 4468 3148 cmd.exe 96 PID 3148 wrote to memory of 4468 3148 cmd.exe 96 PID 3148 wrote to memory of 4468 3148 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\74dd30781f439b8ba87ff15e38e9feb7.exe"C:\Users\Admin\AppData\Local\Temp\74dd30781f439b8ba87ff15e38e9feb7.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\cmd.execmd /c set3⤵PID:4648
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2816
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start4⤵PID:1604
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5bdc4a087a6193f4f13241fcaf8d9107d
SHA12b86b98a329f63fd74d58463acfc43fe1ebf63fa
SHA2563bf40a3974c7975863c4d86dc67b26b0c3712937913c1aac4b17db4f26d2ab74
SHA51258e49933c197047ab714b60acf51ee0fd33217ae63fb3a3e476603ea3f28cd46bc10facae0bef914b8597f7c664bae6f3fb36dd1c94d03ccafdb065607240952