Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25/02/2024, 14:54
Static task
static1
Behavioral task
behavioral1
Sample
a411fc6843115ea92a124822e65dadfd.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a411fc6843115ea92a124822e65dadfd.exe
Resource
win10v2004-20240221-en
General
-
Target
a411fc6843115ea92a124822e65dadfd.exe
-
Size
24KB
-
MD5
a411fc6843115ea92a124822e65dadfd
-
SHA1
cd861b6d288346fa8e93ef5f4da9a655f4fc27d2
-
SHA256
6dc7e4d80501dd49c151e22cdb697e597ac9d2e8f2ee71e083bb5c5e5b7e60c4
-
SHA512
2dc5432eb05963e806ac655077381f6486ae50b174a82a5c87bcb75c443de8bdde8b7f121e594c6d61d3eb524b46fa47569b0b13758dcd9f7254017d2e28dd76
-
SSDEEP
384:E3eVES+/xwGkRKJq06VlM61qmTTMVF9/q5j0:bGS+ZfbJq06VO8qYoAI
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" a411fc6843115ea92a124822e65dadfd.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe a411fc6843115ea92a124822e65dadfd.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4800 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 4056 ipconfig.exe 5040 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4800 tasklist.exe Token: SeDebugPrivilege 5040 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2824 a411fc6843115ea92a124822e65dadfd.exe 2824 a411fc6843115ea92a124822e65dadfd.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2824 wrote to memory of 1936 2824 a411fc6843115ea92a124822e65dadfd.exe 88 PID 2824 wrote to memory of 1936 2824 a411fc6843115ea92a124822e65dadfd.exe 88 PID 2824 wrote to memory of 1936 2824 a411fc6843115ea92a124822e65dadfd.exe 88 PID 1936 wrote to memory of 2876 1936 cmd.exe 90 PID 1936 wrote to memory of 2876 1936 cmd.exe 90 PID 1936 wrote to memory of 2876 1936 cmd.exe 90 PID 1936 wrote to memory of 4056 1936 cmd.exe 91 PID 1936 wrote to memory of 4056 1936 cmd.exe 91 PID 1936 wrote to memory of 4056 1936 cmd.exe 91 PID 1936 wrote to memory of 4800 1936 cmd.exe 92 PID 1936 wrote to memory of 4800 1936 cmd.exe 92 PID 1936 wrote to memory of 4800 1936 cmd.exe 92 PID 1936 wrote to memory of 364 1936 cmd.exe 96 PID 1936 wrote to memory of 364 1936 cmd.exe 96 PID 1936 wrote to memory of 364 1936 cmd.exe 96 PID 364 wrote to memory of 4892 364 net.exe 97 PID 364 wrote to memory of 4892 364 net.exe 97 PID 364 wrote to memory of 4892 364 net.exe 97 PID 1936 wrote to memory of 5040 1936 cmd.exe 98 PID 1936 wrote to memory of 5040 1936 cmd.exe 98 PID 1936 wrote to memory of 5040 1936 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\a411fc6843115ea92a124822e65dadfd.exe"C:\Users\Admin\AppData\Local\Temp\a411fc6843115ea92a124822e65dadfd.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\cmd.execmd /c set3⤵PID:2876
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:4056
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
-
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start4⤵PID:4892
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD547166cc128c3aa5384c6ebedf6b3e575
SHA10d8cf16ade8464eac3f9a5edf5c49aacb7005042
SHA256ac29daa7963b494f90839aa6d3723e789992ee9ec505d980da8de97406ea6c1c
SHA51227c7f1e35228d0a573abbe17a12849ae430f871dacbcc0d39a545d0fccc9a62ef88d9639158804369b5356b1a0520992a639546876d0d550eeb7bb9c798904a6