Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31/05/2024, 08:41
Static task
static1
Behavioral task
behavioral1
Sample
21f24341643611dd7adcd9c7e0cd41397df043bc15c836251ec87e1264840b25.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
21f24341643611dd7adcd9c7e0cd41397df043bc15c836251ec87e1264840b25.exe
Resource
win10v2004-20240508-en
General
-
Target
21f24341643611dd7adcd9c7e0cd41397df043bc15c836251ec87e1264840b25.exe
-
Size
4.7MB
-
MD5
c253174eb347c8c087f805ec1238a113
-
SHA1
8924e9eddde8fddbaac3345123a401e2a0db8277
-
SHA256
21f24341643611dd7adcd9c7e0cd41397df043bc15c836251ec87e1264840b25
-
SHA512
be5557221f0e4cdb3183cedfa31aaf6b84f7c0806dbba5eae470a9b9b14c25c8dd2e06225ef1bf4e90deee33ced9fa129cc4207005d2053dda221ca6aa888737
-
SSDEEP
98304:l1Q02esi1tFhYzWGIMD8npdc83WN86/IAoODltr8nye:fQHuphmWGIs0irRoOhV8V
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3860 icacls.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 1732 javaw.exe Token: SeRestorePrivilege 1732 javaw.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1732 javaw.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4772 wrote to memory of 1732 4772 21f24341643611dd7adcd9c7e0cd41397df043bc15c836251ec87e1264840b25.exe 82 PID 4772 wrote to memory of 1732 4772 21f24341643611dd7adcd9c7e0cd41397df043bc15c836251ec87e1264840b25.exe 82 PID 1732 wrote to memory of 3860 1732 javaw.exe 83 PID 1732 wrote to memory of 3860 1732 javaw.exe 83 PID 1732 wrote to memory of 628 1732 javaw.exe 85 PID 1732 wrote to memory of 628 1732 javaw.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\21f24341643611dd7adcd9c7e0cd41397df043bc15c836251ec87e1264840b25.exe"C:\Users\Admin\AppData\Local\Temp\21f24341643611dd7adcd9c7e0cd41397df043bc15c836251ec87e1264840b25.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Program Files\Java\jdk-1.8\bin\javaw.exe"C:\Program Files\Java\jdk-1.8\bin\javaw.exe" -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=15 -jar "21f24341643611dd7adcd9c7e0cd41397df043bc15c836251ec87e1264840b25.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M3⤵
- Modifies file permissions
PID:3860
-
-
C:\Windows\SYSTEM32\cmd.execmd ver3⤵PID:628
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5fee7eb2a768fb2cdba2ed05f3aada291
SHA1507d924495b5117150c8bf7381fda04beba5445c
SHA2563a1b155ddf3fd86586fdceba0ffc58650d3d98830e38e71599e57ec9572f231f
SHA512bf96a7e067aefbcaf3625cc4389eb3f39d2ab17000adf27651ce98882b793c33e19be4f7fcb38bce919d2a14352f8b7722849beb998f09ee1be0a98c5142fa45
-
Filesize
817B
MD5d4084216850a615b37ebd35eb2b8d155
SHA1fdb87602b59bfa2ccd5617d0ae8d4a57ffe560eb
SHA25682fdcc3b988db5a376701810b0ba203185d4624b1b647fbae44479ca1b57f6df
SHA5126bf57587dc647a0ac2703020517aa7c86152384600bb1bef0d2ce138b88987dcf3e026768bc310883d05b9a375678630ab48f2379ea645eaf2ac72d17cf93853
-
Filesize
824B
MD5c458dfec4fef766b6879ff1ad3e0c340
SHA13aec48fc6b28ce16460a443acc855b643fc76d35
SHA256b37784c2082b7adb63a2beab81f842fd5c016706663234b179d1f5c9a4623032
SHA51254334b08df55df78cd84cf43f0c14b999822c9489cf8a591327cb48cf0a911194ce80567bd663e117c9a667aac606a12771182105c4560573ec1d45054eaa6da
-
Filesize
333KB
MD5c60d3899b711537e10be33c680ebd8ae
SHA11eca6aa7faf7ac6e3211862afa6e43fe2eedd07b
SHA2563bc9ebdc583b36abd2a65b626c4b9f35f21177fbf42a851606eaaea3fd42ee0f
SHA5125b0634bdd4193e9d5423b4e0490b980132081df0a845d3832031c8be637d93616aee82bbaeb427fb6f617aeeb381e7246ee5e83a79bde071ef0b02a81cb91289