Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2024, 03:21
Static task
static1
Behavioral task
behavioral1
Sample
33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe
Resource
win10v2004-20240412-en
General
-
Target
33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe
-
Size
3.0MB
-
MD5
df7a1a3dda3ef1e2dbf4837052ec6a2a
-
SHA1
b54a7a9cbfebba7577ee212416c86768850511d0
-
SHA256
33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458
-
SHA512
19f0800d814c33ccc2f3dd548b0b4b92d81c97f29404d67e9962bd9a16545a63c9413520aa84f1d2aac8f822a6260b4326f05b8585c060aa3c41e778294acde8
-
SSDEEP
49152:ZcburWWS6FKmeAxAfovAF6RKcBQbx+29uWV9D489N:iburtzFKmeoAAvAF6RK/N91PM+N
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2476 NSUDOLC.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 4328 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2476 NSUDOLC.exe 2476 NSUDOLC.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4708 33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe Token: SeDebugPrivilege 4328 taskkill.exe Token: SeDebugPrivilege 2476 NSUDOLC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4708 33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe 4708 33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4708 wrote to memory of 4852 4708 33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe 96 PID 4708 wrote to memory of 4852 4708 33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe 96 PID 4708 wrote to memory of 4852 4708 33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe 96 PID 4852 wrote to memory of 4328 4852 cmd.exe 98 PID 4852 wrote to memory of 4328 4852 cmd.exe 98 PID 4852 wrote to memory of 4328 4852 cmd.exe 98 PID 4852 wrote to memory of 2476 4852 cmd.exe 101 PID 4852 wrote to memory of 2476 4852 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe"C:\Users\Admin\AppData\Local\Temp\33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /PID 47083⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
C:\Users\Admin\AppData\Local\Temp\NSUDOLC.exeNSUDOLC /U:S /P:E C:\Users\Admin\AppData\Local\Temp\33dbfb9e703ad85d6be243cc09f6d473f5ffba72b135becc907f411d3b803458.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD50ac3e9d59309f599403ac51615bfe41b
SHA19041c5562558cb58ac98bd18de3c0ce370a59e1f
SHA2566d5e116c2af78b5585602d91bca3a436a0350630fc7c08412c0cafe55199547c
SHA512e5de92202f4d3ecaff8bd65c99cbbc98c2deaafafe1620be7169d0fed467bfa11ce727fa78f686166758ee3df0b040a2643dbd5a46ee74cc679e647ebdad6910
-
Filesize
145B
MD58f5d90ec932d4f60f4c034264448d407
SHA13a264919d018803c8c0b2224af08131571008f81
SHA256efbff17a1a193cf71898c03e988a73cc797c0d6a3572d616a9f31e98340be498
SHA51299af6156ebf01ac11ce16cf495e41c490a687c873d24a6adde405ff29ae86dea37f3920515c9a71c11c85d41a8385e4036ec39ec6e0052aa1cc11f9e81b1f5d4