Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2024, 12:02
Static task
static1
Behavioral task
behavioral1
Sample
Ocean.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Ocean.exe
Resource
win10v2004-20231215-en
General
-
Target
Ocean.exe
-
Size
2.3MB
-
MD5
6bbe05cd611c00f2028fd3926293d17b
-
SHA1
1f34b1c9d88e5d8c3debeb14d26b7262e810e25d
-
SHA256
364aa99eb17c51abc154bdb82abba55f7a481034261e9449111030d12985fa09
-
SHA512
226fdaf50fd1c948b127afa267ff28c12e4fb013314f27dcdc9076b1b3452418edcb4169de56a418f862e4acfb82d49c923b24730065d2601e48d3b044a77132
-
SSDEEP
24576:WqdOsTyYgDnTSTbJSByTvNOtGv8I45XmilZeTFaiMZyCV1ED/T2hn23:WiOsTyYgnfBy8V5XbehZz7Mnq
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1400 E6inKw.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\eventvwr.msc mmc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1400 E6inKw.exe 1400 E6inKw.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1400 E6inKw.exe 1400 E6inKw.exe 1400 E6inKw.exe 1400 E6inKw.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4320 Ocean.exe 464 mmc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1400 E6inKw.exe Token: SeDebugPrivilege 1400 E6inKw.exe Token: SeSecurityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: SeSecurityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe Token: 33 464 mmc.exe Token: SeIncBasePriorityPrivilege 464 mmc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 464 mmc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4320 Ocean.exe 464 mmc.exe 464 mmc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4320 wrote to memory of 1400 4320 Ocean.exe 92 PID 4320 wrote to memory of 1400 4320 Ocean.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ocean.exe"C:\Users\Admin\AppData\Local\Temp\Ocean.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\lgodbqCr1E\E6inKw.exeC:\Users\Admin\AppData\Local\Temp\\lgodbqCr1E\E6inKw.exe 11112⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:464
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109B
MD5884320a9b8f018f309f5a96107133f89
SHA1102e8a8f3c91a10d9d670e0b3715bd2e0acee5ff
SHA25650fd9d76d1c43bb16b166de02aaf8adec09eb5bc4cefdca9d1af2e0f7b1d8f64
SHA512b815fcbd7263b6667f01478b955f9734b1bddbcd7ca8e62ef8ff1ec46ed99931ba466c976ac781f1bd899125571585d580f6f232cc37b8e9ed87935981b99b78
-
Filesize
6.1MB
MD58c9d2934bda494f3de30991de7a3134e
SHA122c22196916ec9f7c90e95b1d8183c0703ef6000
SHA256897f3f68a8ca3874b8a2d1d4aa35848a5c2a0c588aa468f61f1c4d5b9ee244d2
SHA5120789b0afab27ad966e77eb3722f7c944ced2a56f515cc0bef9095f49870a0c52a03ffc9a02fd420a2c0190c26c6f252a8d73d7372e197bf31d40f192606a497e