Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 20:18
Behavioral task
behavioral1
Sample
8d4026927e63b4f57f0cf29c9b533eae.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8d4026927e63b4f57f0cf29c9b533eae.exe
Resource
win10v2004-20231215-en
General
-
Target
8d4026927e63b4f57f0cf29c9b533eae.exe
-
Size
12.3MB
-
MD5
8d4026927e63b4f57f0cf29c9b533eae
-
SHA1
f4cf91a6416fb107e18df48b467ed188ad058db9
-
SHA256
069ff67f9dd8ce03ffe71958852da3cfd59adbb5d5094f499d155f9e7b61d62d
-
SHA512
5c3fb03e3e566936d173fe3912e9c01003cb1cb635d0b4d6dc34ce29d3a865016d759a25a8bc4e39d75746f1ec70fc42c80894cb598dac057dc0597f750d20fe
-
SSDEEP
393216:uoJcTniUayxkDMBswCdv2IxqT3exAICSIO1:9+TniURGYwRYD2
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1272-3-0x0000000000400000-0x0000000001B3E000-memory.dmp vmprotect behavioral2/memory/1272-10-0x0000000000400000-0x0000000001B3E000-memory.dmp vmprotect behavioral2/memory/1272-15-0x0000000000400000-0x0000000001B3E000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 8d4026927e63b4f57f0cf29c9b533eae.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1272 8d4026927e63b4f57f0cf29c9b533eae.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1272 8d4026927e63b4f57f0cf29c9b533eae.exe 1272 8d4026927e63b4f57f0cf29c9b533eae.exe 1272 8d4026927e63b4f57f0cf29c9b533eae.exe 1272 8d4026927e63b4f57f0cf29c9b533eae.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4028 wmic.exe Token: SeSecurityPrivilege 4028 wmic.exe Token: SeTakeOwnershipPrivilege 4028 wmic.exe Token: SeLoadDriverPrivilege 4028 wmic.exe Token: SeSystemProfilePrivilege 4028 wmic.exe Token: SeSystemtimePrivilege 4028 wmic.exe Token: SeProfSingleProcessPrivilege 4028 wmic.exe Token: SeIncBasePriorityPrivilege 4028 wmic.exe Token: SeCreatePagefilePrivilege 4028 wmic.exe Token: SeBackupPrivilege 4028 wmic.exe Token: SeRestorePrivilege 4028 wmic.exe Token: SeShutdownPrivilege 4028 wmic.exe Token: SeDebugPrivilege 4028 wmic.exe Token: SeSystemEnvironmentPrivilege 4028 wmic.exe Token: SeRemoteShutdownPrivilege 4028 wmic.exe Token: SeUndockPrivilege 4028 wmic.exe Token: SeManageVolumePrivilege 4028 wmic.exe Token: 33 4028 wmic.exe Token: 34 4028 wmic.exe Token: 35 4028 wmic.exe Token: 36 4028 wmic.exe Token: SeIncreaseQuotaPrivilege 4028 wmic.exe Token: SeSecurityPrivilege 4028 wmic.exe Token: SeTakeOwnershipPrivilege 4028 wmic.exe Token: SeLoadDriverPrivilege 4028 wmic.exe Token: SeSystemProfilePrivilege 4028 wmic.exe Token: SeSystemtimePrivilege 4028 wmic.exe Token: SeProfSingleProcessPrivilege 4028 wmic.exe Token: SeIncBasePriorityPrivilege 4028 wmic.exe Token: SeCreatePagefilePrivilege 4028 wmic.exe Token: SeBackupPrivilege 4028 wmic.exe Token: SeRestorePrivilege 4028 wmic.exe Token: SeShutdownPrivilege 4028 wmic.exe Token: SeDebugPrivilege 4028 wmic.exe Token: SeSystemEnvironmentPrivilege 4028 wmic.exe Token: SeRemoteShutdownPrivilege 4028 wmic.exe Token: SeUndockPrivilege 4028 wmic.exe Token: SeManageVolumePrivilege 4028 wmic.exe Token: 33 4028 wmic.exe Token: 34 4028 wmic.exe Token: 35 4028 wmic.exe Token: 36 4028 wmic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1272 8d4026927e63b4f57f0cf29c9b533eae.exe 1272 8d4026927e63b4f57f0cf29c9b533eae.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1272 wrote to memory of 4028 1272 8d4026927e63b4f57f0cf29c9b533eae.exe 87 PID 1272 wrote to memory of 4028 1272 8d4026927e63b4f57f0cf29c9b533eae.exe 87 PID 1272 wrote to memory of 4028 1272 8d4026927e63b4f57f0cf29c9b533eae.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d4026927e63b4f57f0cf29c9b533eae.exe"C:\Users\Admin\AppData\Local\Temp\8d4026927e63b4f57f0cf29c9b533eae.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic BaseBoard get SerialNumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4028
-