Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 03:09
Static task
static1
Behavioral task
behavioral1
Sample
e09e4c1d42823d952f42e48595d01a4c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e09e4c1d42823d952f42e48595d01a4c.exe
Resource
win10v2004-20240319-en
General
-
Target
e09e4c1d42823d952f42e48595d01a4c.exe
-
Size
146KB
-
MD5
e09e4c1d42823d952f42e48595d01a4c
-
SHA1
10c3f50d679d0261ca35d12c6a7850092bc52c1c
-
SHA256
e0811a601c983e56789bf72e4befa467e4ef14591911fd777708b58849ed15cf
-
SHA512
4d0c1bf31d3401a27b7209afe9d8b70583e4af7b0f8a6614d34ef871a0085d6ecb5607d7b1e19686e37315323b052ae293e0e29944b5e0fb42593a0f574e294c
-
SSDEEP
3072:o/25jvDSgsqsb5Uh28vAbTV1WW69B9VjMdxPedN9ug0z9TBfFSTEwWYkQSlK:Dtzsb5Uh28+V1WW69B9VjMdxPedN9ug/
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 18 1404 powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1404 powershell.exe 1404 powershell.exe 1404 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1404 powershell.exe Token: SeIncreaseQuotaPrivilege 4836 WMIC.exe Token: SeSecurityPrivilege 4836 WMIC.exe Token: SeTakeOwnershipPrivilege 4836 WMIC.exe Token: SeLoadDriverPrivilege 4836 WMIC.exe Token: SeSystemProfilePrivilege 4836 WMIC.exe Token: SeSystemtimePrivilege 4836 WMIC.exe Token: SeProfSingleProcessPrivilege 4836 WMIC.exe Token: SeIncBasePriorityPrivilege 4836 WMIC.exe Token: SeCreatePagefilePrivilege 4836 WMIC.exe Token: SeBackupPrivilege 4836 WMIC.exe Token: SeRestorePrivilege 4836 WMIC.exe Token: SeShutdownPrivilege 4836 WMIC.exe Token: SeDebugPrivilege 4836 WMIC.exe Token: SeSystemEnvironmentPrivilege 4836 WMIC.exe Token: SeRemoteShutdownPrivilege 4836 WMIC.exe Token: SeUndockPrivilege 4836 WMIC.exe Token: SeManageVolumePrivilege 4836 WMIC.exe Token: 33 4836 WMIC.exe Token: 34 4836 WMIC.exe Token: 35 4836 WMIC.exe Token: 36 4836 WMIC.exe Token: SeIncreaseQuotaPrivilege 4836 WMIC.exe Token: SeSecurityPrivilege 4836 WMIC.exe Token: SeTakeOwnershipPrivilege 4836 WMIC.exe Token: SeLoadDriverPrivilege 4836 WMIC.exe Token: SeSystemProfilePrivilege 4836 WMIC.exe Token: SeSystemtimePrivilege 4836 WMIC.exe Token: SeProfSingleProcessPrivilege 4836 WMIC.exe Token: SeIncBasePriorityPrivilege 4836 WMIC.exe Token: SeCreatePagefilePrivilege 4836 WMIC.exe Token: SeBackupPrivilege 4836 WMIC.exe Token: SeRestorePrivilege 4836 WMIC.exe Token: SeShutdownPrivilege 4836 WMIC.exe Token: SeDebugPrivilege 4836 WMIC.exe Token: SeSystemEnvironmentPrivilege 4836 WMIC.exe Token: SeRemoteShutdownPrivilege 4836 WMIC.exe Token: SeUndockPrivilege 4836 WMIC.exe Token: SeManageVolumePrivilege 4836 WMIC.exe Token: 33 4836 WMIC.exe Token: 34 4836 WMIC.exe Token: 35 4836 WMIC.exe Token: 36 4836 WMIC.exe Token: SeIncreaseQuotaPrivilege 1568 WMIC.exe Token: SeSecurityPrivilege 1568 WMIC.exe Token: SeTakeOwnershipPrivilege 1568 WMIC.exe Token: SeLoadDriverPrivilege 1568 WMIC.exe Token: SeSystemProfilePrivilege 1568 WMIC.exe Token: SeSystemtimePrivilege 1568 WMIC.exe Token: SeProfSingleProcessPrivilege 1568 WMIC.exe Token: SeIncBasePriorityPrivilege 1568 WMIC.exe Token: SeCreatePagefilePrivilege 1568 WMIC.exe Token: SeBackupPrivilege 1568 WMIC.exe Token: SeRestorePrivilege 1568 WMIC.exe Token: SeShutdownPrivilege 1568 WMIC.exe Token: SeDebugPrivilege 1568 WMIC.exe Token: SeSystemEnvironmentPrivilege 1568 WMIC.exe Token: SeRemoteShutdownPrivilege 1568 WMIC.exe Token: SeUndockPrivilege 1568 WMIC.exe Token: SeManageVolumePrivilege 1568 WMIC.exe Token: 33 1568 WMIC.exe Token: 34 1568 WMIC.exe Token: 35 1568 WMIC.exe Token: 36 1568 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3800 wrote to memory of 4220 3800 e09e4c1d42823d952f42e48595d01a4c.exe 96 PID 3800 wrote to memory of 4220 3800 e09e4c1d42823d952f42e48595d01a4c.exe 96 PID 4220 wrote to memory of 2788 4220 cmd.exe 97 PID 4220 wrote to memory of 2788 4220 cmd.exe 97 PID 4220 wrote to memory of 4116 4220 cmd.exe 98 PID 4220 wrote to memory of 4116 4220 cmd.exe 98 PID 4220 wrote to memory of 2804 4220 cmd.exe 99 PID 4220 wrote to memory of 2804 4220 cmd.exe 99 PID 2804 wrote to memory of 1404 2804 cmd.exe 100 PID 2804 wrote to memory of 1404 2804 cmd.exe 100 PID 4220 wrote to memory of 2220 4220 cmd.exe 104 PID 4220 wrote to memory of 2220 4220 cmd.exe 104 PID 2220 wrote to memory of 4836 2220 cmd.exe 105 PID 2220 wrote to memory of 4836 2220 cmd.exe 105 PID 4220 wrote to memory of 2624 4220 cmd.exe 107 PID 4220 wrote to memory of 2624 4220 cmd.exe 107 PID 2624 wrote to memory of 1568 2624 cmd.exe 108 PID 2624 wrote to memory of 1568 2624 cmd.exe 108 PID 4220 wrote to memory of 3004 4220 cmd.exe 109 PID 4220 wrote to memory of 3004 4220 cmd.exe 109 PID 3004 wrote to memory of 2652 3004 cmd.exe 110 PID 3004 wrote to memory of 2652 3004 cmd.exe 110 PID 4220 wrote to memory of 4420 4220 cmd.exe 111 PID 4220 wrote to memory of 4420 4220 cmd.exe 111 PID 4420 wrote to memory of 2876 4420 cmd.exe 112 PID 4420 wrote to memory of 2876 4420 cmd.exe 112 PID 4220 wrote to memory of 5004 4220 cmd.exe 113 PID 4220 wrote to memory of 5004 4220 cmd.exe 113 PID 5004 wrote to memory of 2736 5004 cmd.exe 114 PID 5004 wrote to memory of 2736 5004 cmd.exe 114 PID 4220 wrote to memory of 4732 4220 cmd.exe 115 PID 4220 wrote to memory of 4732 4220 cmd.exe 115 PID 4732 wrote to memory of 1940 4732 cmd.exe 116 PID 4732 wrote to memory of 1940 4732 cmd.exe 116 PID 4220 wrote to memory of 2356 4220 cmd.exe 117 PID 4220 wrote to memory of 2356 4220 cmd.exe 117 PID 2356 wrote to memory of 980 2356 cmd.exe 118 PID 2356 wrote to memory of 980 2356 cmd.exe 118 PID 4220 wrote to memory of 4032 4220 cmd.exe 119 PID 4220 wrote to memory of 4032 4220 cmd.exe 119 PID 4032 wrote to memory of 1228 4032 cmd.exe 120 PID 4032 wrote to memory of 1228 4032 cmd.exe 120 PID 4220 wrote to memory of 3468 4220 cmd.exe 121 PID 4220 wrote to memory of 3468 4220 cmd.exe 121 PID 3468 wrote to memory of 2996 3468 cmd.exe 122 PID 3468 wrote to memory of 2996 3468 cmd.exe 122 PID 4220 wrote to memory of 3792 4220 cmd.exe 123 PID 4220 wrote to memory of 3792 4220 cmd.exe 123 PID 3792 wrote to memory of 1692 3792 cmd.exe 124 PID 3792 wrote to memory of 1692 3792 cmd.exe 124 PID 4220 wrote to memory of 2572 4220 cmd.exe 127 PID 4220 wrote to memory of 2572 4220 cmd.exe 127 PID 2572 wrote to memory of 1948 2572 cmd.exe 128 PID 2572 wrote to memory of 1948 2572 cmd.exe 128 PID 4220 wrote to memory of 1212 4220 cmd.exe 129 PID 4220 wrote to memory of 1212 4220 cmd.exe 129 PID 1212 wrote to memory of 1340 1212 cmd.exe 130 PID 1212 wrote to memory of 1340 1212 cmd.exe 130 PID 4220 wrote to memory of 1504 4220 cmd.exe 132 PID 4220 wrote to memory of 1504 4220 cmd.exe 132 PID 1504 wrote to memory of 4588 1504 cmd.exe 133 PID 1504 wrote to memory of 4588 1504 cmd.exe 133 PID 4220 wrote to memory of 2876 4220 cmd.exe 134 PID 4220 wrote to memory of 2876 4220 cmd.exe 134
Processes
-
C:\Users\Admin\AppData\Local\Temp\e09e4c1d42823d952f42e48595d01a4c.exe"C:\Users\Admin\AppData\Local\Temp\e09e4c1d42823d952f42e48595d01a4c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\708C.tmp\708D.tmp\708E.bat C:\Users\Admin\AppData\Local\Temp\e09e4c1d42823d952f42e48595d01a4c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\system32\mode.commode con: cols=41 lines=253⤵PID:2788
-
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:4116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell Invoke-RestMethod api.ipify.org3⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-RestMethod api.ipify.org4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber3⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber3⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber3⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber4⤵PID:2652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber3⤵
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber4⤵PID:2876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber3⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber4⤵PID:2736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber3⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber4⤵PID:1940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber3⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber4⤵PID:980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber3⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber4⤵PID:1228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic memorychip get serialnumber3⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber4⤵PID:2996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic memorychip get serialnumber3⤵
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber4⤵PID:1692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic memorychip get serialnumber3⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber4⤵PID:1948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic memorychip get serialnumber3⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber4⤵PID:1340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid3⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic cpu get processorid3⤵PID:2876
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get processorid4⤵PID:3176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress3⤵PID:4692
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress4⤵PID:780
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:81⤵PID:3932
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD55a690ababc9030be667b065eb1acbf71
SHA14a84fc1ad7db4742c0beb3ccc35d8107a1313476
SHA256ad1434cb979dbc1282be8660c312cef7e19801ea0bd2b75491d2d244e3a1f79a
SHA5120e4700284e2dc9e4ad66d570997bddf1a0279ecd4fc8f161a50050c3c50a994f7ba253b6ac94a0acf2d44f4a41d35aac7ceaa479a77d303ee79db4a0316286d9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82