Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2024, 02:23
Static task
static1
Behavioral task
behavioral1
Sample
69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Malemutes/Nonprecedent.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Malemutes/Nonprecedent.ps1
Resource
win10v2004-20240226-en
General
-
Target
69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe
-
Size
623KB
-
MD5
69893879dfb7420cc301c2097d529607
-
SHA1
f5d0929b50cb25555d6470946f76832a3f6fd13b
-
SHA256
69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923
-
SHA512
601665e12a529342586f0f85fe27682b20841a2c62c7ad0f2454d79ac3bc56c647e3f7d3147b3a33dc58b7e549c3e7efc42dbedf73cf5e8357421bc38e826398
-
SSDEEP
12288:ylR3Rtp9Jt7SEgUceFLX2YRJpNpRyOArULAHW9O9k:Y3Rtp9JamphWALAGOO
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2032 1588 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1588 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2304 wrote to memory of 1588 2304 69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe 88 PID 2304 wrote to memory of 1588 2304 69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe 88 PID 2304 wrote to memory of 1588 2304 69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe 88 PID 1588 wrote to memory of 5092 1588 powershell.exe 94 PID 1588 wrote to memory of 5092 1588 powershell.exe 94 PID 1588 wrote to memory of 5092 1588 powershell.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe"C:\Users\Admin\AppData\Local\Temp\69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -windowstyle hidden "$Gynecide=Get-Content 'C:\Users\Admin\AppData\Local\Epicoeliac\Malemutes\Nonprecedent.Fod';$Porbeagle=$Gynecide.SubString(53926,3);.$Porbeagle($Gynecide)"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:5092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 25163⤵
- Program crash
PID:2032
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1588 -ip 15881⤵PID:3100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5d70cc7a86c607e5511048fe2b3242bf9
SHA17533500bfb680dc5fcea3e37fd2eca0385990376
SHA2569be2c4093ac767d9ec1aa035a7a8139fac9347068f303e1ef583b4d1f8dedd2b
SHA51205052e82d38f94ff7eb6ed89a7fd9041c20d03eba7d6d193c3fe85c628605c70fa8cb2dbb1e44ee721c8143bbcb6e5caf72c24acb134628d967e757b18d158ff
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82