Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 20:18
Behavioral task
behavioral1
Sample
8d4026927e63b4f57f0cf29c9b533eae.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8d4026927e63b4f57f0cf29c9b533eae.exe
Resource
win10v2004-20231215-en
General
-
Target
8d4026927e63b4f57f0cf29c9b533eae.exe
-
Size
12.3MB
-
MD5
8d4026927e63b4f57f0cf29c9b533eae
-
SHA1
f4cf91a6416fb107e18df48b467ed188ad058db9
-
SHA256
069ff67f9dd8ce03ffe71958852da3cfd59adbb5d5094f499d155f9e7b61d62d
-
SHA512
5c3fb03e3e566936d173fe3912e9c01003cb1cb635d0b4d6dc34ce29d3a865016d759a25a8bc4e39d75746f1ec70fc42c80894cb598dac057dc0597f750d20fe
-
SSDEEP
393216:uoJcTniUayxkDMBswCdv2IxqT3exAICSIO1:9+TniURGYwRYD2
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2264-0-0x0000000000400000-0x0000000001B3E000-memory.dmp vmprotect behavioral1/memory/2264-41-0x0000000000400000-0x0000000001B3E000-memory.dmp vmprotect behavioral1/memory/2264-47-0x0000000000400000-0x0000000001B3E000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 8d4026927e63b4f57f0cf29c9b533eae.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2264 8d4026927e63b4f57f0cf29c9b533eae.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2264 8d4026927e63b4f57f0cf29c9b533eae.exe 2264 8d4026927e63b4f57f0cf29c9b533eae.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2836 wmic.exe Token: SeSecurityPrivilege 2836 wmic.exe Token: SeTakeOwnershipPrivilege 2836 wmic.exe Token: SeLoadDriverPrivilege 2836 wmic.exe Token: SeSystemProfilePrivilege 2836 wmic.exe Token: SeSystemtimePrivilege 2836 wmic.exe Token: SeProfSingleProcessPrivilege 2836 wmic.exe Token: SeIncBasePriorityPrivilege 2836 wmic.exe Token: SeCreatePagefilePrivilege 2836 wmic.exe Token: SeBackupPrivilege 2836 wmic.exe Token: SeRestorePrivilege 2836 wmic.exe Token: SeShutdownPrivilege 2836 wmic.exe Token: SeDebugPrivilege 2836 wmic.exe Token: SeSystemEnvironmentPrivilege 2836 wmic.exe Token: SeRemoteShutdownPrivilege 2836 wmic.exe Token: SeUndockPrivilege 2836 wmic.exe Token: SeManageVolumePrivilege 2836 wmic.exe Token: 33 2836 wmic.exe Token: 34 2836 wmic.exe Token: 35 2836 wmic.exe Token: SeIncreaseQuotaPrivilege 2836 wmic.exe Token: SeSecurityPrivilege 2836 wmic.exe Token: SeTakeOwnershipPrivilege 2836 wmic.exe Token: SeLoadDriverPrivilege 2836 wmic.exe Token: SeSystemProfilePrivilege 2836 wmic.exe Token: SeSystemtimePrivilege 2836 wmic.exe Token: SeProfSingleProcessPrivilege 2836 wmic.exe Token: SeIncBasePriorityPrivilege 2836 wmic.exe Token: SeCreatePagefilePrivilege 2836 wmic.exe Token: SeBackupPrivilege 2836 wmic.exe Token: SeRestorePrivilege 2836 wmic.exe Token: SeShutdownPrivilege 2836 wmic.exe Token: SeDebugPrivilege 2836 wmic.exe Token: SeSystemEnvironmentPrivilege 2836 wmic.exe Token: SeRemoteShutdownPrivilege 2836 wmic.exe Token: SeUndockPrivilege 2836 wmic.exe Token: SeManageVolumePrivilege 2836 wmic.exe Token: 33 2836 wmic.exe Token: 34 2836 wmic.exe Token: 35 2836 wmic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2264 8d4026927e63b4f57f0cf29c9b533eae.exe 2264 8d4026927e63b4f57f0cf29c9b533eae.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2836 2264 8d4026927e63b4f57f0cf29c9b533eae.exe 28 PID 2264 wrote to memory of 2836 2264 8d4026927e63b4f57f0cf29c9b533eae.exe 28 PID 2264 wrote to memory of 2836 2264 8d4026927e63b4f57f0cf29c9b533eae.exe 28 PID 2264 wrote to memory of 2836 2264 8d4026927e63b4f57f0cf29c9b533eae.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d4026927e63b4f57f0cf29c9b533eae.exe"C:\Users\Admin\AppData\Local\Temp\8d4026927e63b4f57f0cf29c9b533eae.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic BaseBoard get SerialNumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836
-