Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
314s -
max time network
388s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
07/06/2024, 23:03
Behavioral task
behavioral1
Sample
ConsoleApplication2.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
ConsoleApplication2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
ConsoleApplication2.exe
Resource
win11-20240426-en
General
-
Target
ConsoleApplication2.exe
-
Size
4.5MB
-
MD5
ba6ea0efc527f2dcd8c13606a5e24e9a
-
SHA1
43a92bb3a589acf1a8480c7f0aeb14c7def349bd
-
SHA256
85e46e5e1a9b0117c0f1992ae253eac8fb69f854d35e7236583da529985204fc
-
SHA512
f4e7e4828bae57b8fac2e61ba254806408ef1aa2f35ac0da2b8b9fa5de25e2eaa537344138460f78b0271b82904a3b2e22f3ba078c9d8c3fe46c4f490c0462b5
-
SSDEEP
49152:mIvjeYIhNma2OwgHK0FqFREXY3Dl11tB+ugTizmRK6HeLAiIM1QfJPgDEWzIOwLy:mIvjeYgGoqF5DlzqTMTDEa
Malware Config
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5092 PING.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1292 WMIC.exe Token: SeSecurityPrivilege 1292 WMIC.exe Token: SeTakeOwnershipPrivilege 1292 WMIC.exe Token: SeLoadDriverPrivilege 1292 WMIC.exe Token: SeSystemProfilePrivilege 1292 WMIC.exe Token: SeSystemtimePrivilege 1292 WMIC.exe Token: SeProfSingleProcessPrivilege 1292 WMIC.exe Token: SeIncBasePriorityPrivilege 1292 WMIC.exe Token: SeCreatePagefilePrivilege 1292 WMIC.exe Token: SeBackupPrivilege 1292 WMIC.exe Token: SeRestorePrivilege 1292 WMIC.exe Token: SeShutdownPrivilege 1292 WMIC.exe Token: SeDebugPrivilege 1292 WMIC.exe Token: SeSystemEnvironmentPrivilege 1292 WMIC.exe Token: SeRemoteShutdownPrivilege 1292 WMIC.exe Token: SeUndockPrivilege 1292 WMIC.exe Token: SeManageVolumePrivilege 1292 WMIC.exe Token: 33 1292 WMIC.exe Token: 34 1292 WMIC.exe Token: 35 1292 WMIC.exe Token: 36 1292 WMIC.exe Token: SeIncreaseQuotaPrivilege 1292 WMIC.exe Token: SeSecurityPrivilege 1292 WMIC.exe Token: SeTakeOwnershipPrivilege 1292 WMIC.exe Token: SeLoadDriverPrivilege 1292 WMIC.exe Token: SeSystemProfilePrivilege 1292 WMIC.exe Token: SeSystemtimePrivilege 1292 WMIC.exe Token: SeProfSingleProcessPrivilege 1292 WMIC.exe Token: SeIncBasePriorityPrivilege 1292 WMIC.exe Token: SeCreatePagefilePrivilege 1292 WMIC.exe Token: SeBackupPrivilege 1292 WMIC.exe Token: SeRestorePrivilege 1292 WMIC.exe Token: SeShutdownPrivilege 1292 WMIC.exe Token: SeDebugPrivilege 1292 WMIC.exe Token: SeSystemEnvironmentPrivilege 1292 WMIC.exe Token: SeRemoteShutdownPrivilege 1292 WMIC.exe Token: SeUndockPrivilege 1292 WMIC.exe Token: SeManageVolumePrivilege 1292 WMIC.exe Token: 33 1292 WMIC.exe Token: 34 1292 WMIC.exe Token: 35 1292 WMIC.exe Token: 36 1292 WMIC.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5056 wrote to memory of 3632 5056 ConsoleApplication2.exe 74 PID 5056 wrote to memory of 3632 5056 ConsoleApplication2.exe 74 PID 5056 wrote to memory of 3632 5056 ConsoleApplication2.exe 74 PID 3632 wrote to memory of 5092 3632 cmd.exe 75 PID 3632 wrote to memory of 5092 3632 cmd.exe 75 PID 3632 wrote to memory of 5092 3632 cmd.exe 75 PID 5056 wrote to memory of 1144 5056 ConsoleApplication2.exe 76 PID 5056 wrote to memory of 1144 5056 ConsoleApplication2.exe 76 PID 5056 wrote to memory of 1144 5056 ConsoleApplication2.exe 76 PID 1144 wrote to memory of 1292 1144 cmd.exe 77 PID 1144 wrote to memory of 1292 1144 cmd.exe 77 PID 1144 wrote to memory of 1292 1144 cmd.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\ConsoleApplication2.exe"C:\Users\Admin\AppData\Local\Temp\ConsoleApplication2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 1.1.1.12⤵
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\PING.EXEping -n 1 1.1.1.13⤵
- Runs ping.exe
PID:5092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-