Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15/04/2024, 18:48
Static task
static1
Behavioral task
behavioral1
Sample
1147c49a678de2a66f5f1b81eb58f0241604c11382c34840965c6d0e0c2fd611.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1147c49a678de2a66f5f1b81eb58f0241604c11382c34840965c6d0e0c2fd611.exe
Resource
win10v2004-20240412-en
General
-
Target
1147c49a678de2a66f5f1b81eb58f0241604c11382c34840965c6d0e0c2fd611.exe
-
Size
1021KB
-
MD5
25b7c91053a472a416740fd755fb2f4b
-
SHA1
940f6a401a76d952545bcd5416efd21502559a37
-
SHA256
1147c49a678de2a66f5f1b81eb58f0241604c11382c34840965c6d0e0c2fd611
-
SHA512
78e99f44f98694c4190f877729b407dd9a5678fb81cf500fd452b5374d4ed10766a0c5ee157d5298fd8c4e29ffd149f36594baf2284dc8fe035e6059973d5ff9
-
SSDEEP
24576:oGoKVJykhpc0Wdm/pH3T4oWULtFyLNiJwpEC6jSsEWE8v:FJHzc50MiJwpECfP
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: 1147c49a678de2a66f5f1b81eb58f0241604c11382c34840965c6d0e0c2fd611.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1808 1776 WerFault.exe 86 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 3172 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3172 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1776 1147c49a678de2a66f5f1b81eb58f0241604c11382c34840965c6d0e0c2fd611.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1147c49a678de2a66f5f1b81eb58f0241604c11382c34840965c6d0e0c2fd611.exe"C:\Users\Admin\AppData\Local\Temp\1147c49a678de2a66f5f1b81eb58f0241604c11382c34840965c6d0e0c2fd611.exe"1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:1776 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 16242⤵
- Program crash
PID:1808
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x300 0x4981⤵
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1776 -ip 17761⤵PID:5032