Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
28s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:53
Static task
static1
Behavioral task
behavioral1
Sample
c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe
Resource
win10v2004-20240508-en
General
-
Target
c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe
-
Size
927KB
-
MD5
58425a8ca9e369e82233314c75ef0139
-
SHA1
bcb05f59c03514b0588e5da22e8fc45640bc1501
-
SHA256
c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279
-
SHA512
065e1553a279238ef0d4d9bcec451b4d84eb4db9f986460e318c3932b2b586ca61a3736d3062b99c86fb402ebb45b95f265e6efc26bfb2240ced54f522850f3e
-
SSDEEP
24576:WbN+yZe0p4Ek4niOkl/A04szE87JKTvmZ:WbN+ieW4SkZP4sz9Mba
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 6 IoCs
resource yara_rule behavioral2/memory/1136-0-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/files/0x000500000002326f-6.dat UPX behavioral2/memory/4988-12-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/1468-11-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/1136-10-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/1468-16-0x0000000000400000-0x000000000041B000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 1468 MSWDM.EXE 4988 MSWDM.EXE 3376 C8C90743193EE35AC7C7379AA6DCFE20282150840BF3868D9EBD02B03E80F279.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe File opened for modification C:\Windows\dev4873.tmp c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4988 MSWDM.EXE 4988 MSWDM.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 3376 C8C90743193EE35AC7C7379AA6DCFE20282150840BF3868D9EBD02B03E80F279.EXE Token: 35 3376 C8C90743193EE35AC7C7379AA6DCFE20282150840BF3868D9EBD02B03E80F279.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1136 wrote to memory of 1468 1136 c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe 79 PID 1136 wrote to memory of 1468 1136 c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe 79 PID 1136 wrote to memory of 1468 1136 c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe 79 PID 1136 wrote to memory of 4988 1136 c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe 80 PID 1136 wrote to memory of 4988 1136 c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe 80 PID 1136 wrote to memory of 4988 1136 c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe 80 PID 4988 wrote to memory of 3376 4988 MSWDM.EXE 81 PID 4988 wrote to memory of 3376 4988 MSWDM.EXE 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe"C:\Users\Admin\AppData\Local\Temp\c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1468
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev4873.tmp!C:\Users\Admin\AppData\Local\Temp\c8c90743193ee35ac7c7379aa6dcfe20282150840bf3868d9ebd02b03e80f279.exe! !2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\C8C90743193EE35AC7C7379AA6DCFE20282150840BF3868D9EBD02B03E80F279.EXE
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3376
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5f953eee07963c184dd80c54fe6d036a5
SHA1c09ef25a25722b434f31e2e4ae9a53a77abfdb66
SHA25658fe341cf6d3034c6b660f49e9619d7c9a189f1eca079e1aac0daf062d322fba
SHA5124fb4d94008673a649f59e2e1971840d066f31808490ae8939f8d0c87995b39494a513c14ea3d8ed1966b13a268b80d923103bda27ff6c1dc64be938f1437fb95
-
Filesize
847KB
MD5c8f40f25f783a52262bdaedeb5555427
SHA1e45e198607c8d7398745baa71780e3e7a2f6deca
SHA256e81b44ee7381ae3b630488b6fb7e3d9ffbdd9ac3032181d4ccaaff3409b57316
SHA512f5944743f54028eb1dd0f2d68468726b177d33185324da0da96cdd20768bab4ca2e507ae9157b2733fd6240c920b7e15a5f5b9f284ee09d0fd385fc895b97191