Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
29/04/2024, 14:10
240429-rg23bach2z 329/04/2024, 14:09
240429-rf8hpsce29 329/04/2024, 14:07
240429-re44wscd83 3Analysis
-
max time kernel
77s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
29/04/2024, 14:07
Static task
static1
Behavioral task
behavioral1
Sample
tim_apple.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tim_apple.exe
Resource
win10v2004-20240419-en
General
-
Target
tim_apple.exe
-
Size
966KB
-
MD5
f0e900aa239e5eec7b08efeb0d655504
-
SHA1
b52a6d00ab5f392b946a9b63329fb9e5c7da3878
-
SHA256
c1c76a78292df02c886fa44ff39d351d9be8e4ee2d495ddd6e8a3b483a61f227
-
SHA512
abc5d575ddb29a76461c739e412c38b625f8468163da6b5846bf286ab670f004af16272049bc8a4724c322ae373af75652d65bb837ca85ce59df448efb1c72f6
-
SSDEEP
24576:0+af3I6HHUzKpatlI/Pw7Zh0lhSMXlVHSnuLF6UHWv:0+af3t0GAI/PwEsnu
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3024 taskmgr.exe Token: SeSystemProfilePrivilege 3024 taskmgr.exe Token: SeCreateGlobalPrivilege 3024 taskmgr.exe Token: 33 3024 taskmgr.exe Token: SeIncBasePriorityPrivilege 3024 taskmgr.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe -
Suspicious use of SendNotifyMessage 33 IoCs
pid Process 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe 3024 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tim_apple.exe"C:\Users\Admin\AppData\Local\Temp\tim_apple.exe"1⤵PID:3252
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3024