Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    123s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 03:21

General

  • Target

    33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe

  • Size

    3.0MB

  • MD5

    df7a1a3dda3ef1e2dbf4837052ec6a2a

  • SHA1

    b54a7a9cbfebba7577ee212416c86768850511d0

  • SHA256

    33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458

  • SHA512

    19f0800d814c33ccc2f3dd548b0b4b92d81c97f29404d67e9962bd9a16545a63c9413520aa84f1d2aac8f822a6260b4326f05b8585c060aa3c41e778294acde8

  • SSDEEP

    49152:ZcburWWS6FKmeAxAfovAF6RKcBQbx+29uWV9D489N:iburtzFKmeoAAvAF6RK/N91PM+N

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe
    "C:\Users\Admin\AppData\Local\Temp\33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4852
      • C:\Windows\SysWOW64\taskkill.exe
        TASKKILL /F /PID 4708
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4328
      • C:\Users\Admin\AppData\Local\Temp\NSUDOLC.exe
        NSUDOLC /U:S /P:E C:\Users\Admin\AppData\Local\Temp\33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NSUDOLC.exe

    Filesize

    99KB

    MD5

    0ac3e9d59309f599403ac51615bfe41b

    SHA1

    9041c5562558cb58ac98bd18de3c0ce370a59e1f

    SHA256

    6d5e116c2af78b5585602d91bca3a436a0350630fc7c08412c0cafe55199547c

    SHA512

    e5de92202f4d3ecaff8bd65c99cbbc98c2deaafafe1620be7169d0fed467bfa11ce727fa78f686166758ee3df0b040a2643dbd5a46ee74cc679e647ebdad6910

  • C:\Users\Admin\AppData\Local\Temp\temp.bat

    Filesize

    145B

    MD5

    8f5d90ec932d4f60f4c034264448d407

    SHA1

    3a264919d018803c8c0b2224af08131571008f81

    SHA256

    efbff17a1a193cf71898c03e988a73cc797c0d6a3572d616a9f31e98340be498

    SHA512

    99af6156ebf01ac11ce16cf495e41c490a687c873d24a6adde405ff29ae86dea37f3920515c9a71c11c85d41a8385e4036ec39ec6e0052aa1cc11f9e81b1f5d4