Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
24/02/2024, 18:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Private.exe
Resource
win10-20240221-en
windows10-1703-x64
6 signatures
150 seconds
General
-
Target
Private.exe
-
Size
3.1MB
-
MD5
b301fe9782472cfe6fc24925d9485334
-
SHA1
56940ce94c13ccdc4fda76bcbe5ac4df31728c8b
-
SHA256
cdfe3633a11dcfb62c8c13af85bf2a5efe668de88645798826442f9757c02711
-
SHA512
049bfea630a9ca693a2636f9c919a933470120afeb03c62e3377ce76f29a7b181ff380582c34f6c5412d2ad46209b9644bd8b945ac66fe772b78edc41e32a755
-
SSDEEP
49152:nvBwyiqmlnHzco6QdasS+tPCg2V6FZUFMOVr5SOlzddrI2Ye6XxOHGK5TxqYJ8w5:JY3CaFZtOZ5SWdd1R6Ym8q3
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 5072 taskmgr.exe Token: SeSystemProfilePrivilege 5072 taskmgr.exe Token: SeCreateGlobalPrivilege 5072 taskmgr.exe Token: 33 5072 taskmgr.exe Token: SeIncBasePriorityPrivilege 5072 taskmgr.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
pid Process 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe -
Suspicious use of SendNotifyMessage 39 IoCs
pid Process 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe 5072 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Private.exe"C:\Users\Admin\AppData\Local\Temp\Private.exe"1⤵PID:1324
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5072