Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21/05/2024, 11:42
Static task
static1
Behavioral task
behavioral1
Sample
2bfxeaki5b2u168cfhsmntlud.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2bfxeaki5b2u168cfhsmntlud.exe
Resource
win10v2004-20240508-en
General
-
Target
2bfxeaki5b2u168cfhsmntlud.exe
-
Size
7.3MB
-
MD5
6136a11723e68480cc4c865575b7a73a
-
SHA1
262b36e28690bf8352c7fbdf99654c8753a41d70
-
SHA256
5f9c2768660cf04058d51e938ea7e42dc8dc62b0556140950de7352f8c6b12cd
-
SHA512
b8c99e1fdbed8c251bf0d74358bd34cbf4b6c5df0ea317f461a39af41203b30f8a2866f196503f5bd2469b977af2c13ca3e4bb50deb206d3b086fdd90472dd27
-
SSDEEP
196608:DHlxvCyD+frVOaVm4zE0WxGoTJuMpQWKL7scxtyAPPx:DH7vTEVO14DUJnKL7xP
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2744 2bfxeaki5b2u168cfhsmntlud.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2bfxeaki5b2u168cfhsmntlud.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2bfxeaki5b2u168cfhsmntlud.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 2bfxeaki5b2u168cfhsmntlud.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor 2bfxeaki5b2u168cfhsmntlud.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2744 2bfxeaki5b2u168cfhsmntlud.exe 2744 2bfxeaki5b2u168cfhsmntlud.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2744 wrote to memory of 3016 2744 2bfxeaki5b2u168cfhsmntlud.exe 85 PID 2744 wrote to memory of 3016 2744 2bfxeaki5b2u168cfhsmntlud.exe 85 PID 2744 wrote to memory of 4164 2744 2bfxeaki5b2u168cfhsmntlud.exe 91 PID 2744 wrote to memory of 4164 2744 2bfxeaki5b2u168cfhsmntlud.exe 91 PID 2744 wrote to memory of 4164 2744 2bfxeaki5b2u168cfhsmntlud.exe 91 PID 2744 wrote to memory of 4164 2744 2bfxeaki5b2u168cfhsmntlud.exe 91 PID 2744 wrote to memory of 4164 2744 2bfxeaki5b2u168cfhsmntlud.exe 91 PID 2744 wrote to memory of 4164 2744 2bfxeaki5b2u168cfhsmntlud.exe 91 PID 2744 wrote to memory of 4164 2744 2bfxeaki5b2u168cfhsmntlud.exe 91 PID 2744 wrote to memory of 4164 2744 2bfxeaki5b2u168cfhsmntlud.exe 91 PID 2744 wrote to memory of 4164 2744 2bfxeaki5b2u168cfhsmntlud.exe 91 PID 2744 wrote to memory of 4164 2744 2bfxeaki5b2u168cfhsmntlud.exe 91 PID 2744 wrote to memory of 4164 2744 2bfxeaki5b2u168cfhsmntlud.exe 91 PID 2744 wrote to memory of 4164 2744 2bfxeaki5b2u168cfhsmntlud.exe 91 PID 2744 wrote to memory of 4164 2744 2bfxeaki5b2u168cfhsmntlud.exe 91 PID 2744 wrote to memory of 4164 2744 2bfxeaki5b2u168cfhsmntlud.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bfxeaki5b2u168cfhsmntlud.exe"C:\Users\Admin\AppData\Local\Temp\2bfxeaki5b2u168cfhsmntlud.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color b2⤵PID:3016
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"2⤵PID:4164
-