Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

14/06/2024, 18:10

240614-wr2xhs1dqa 8

14/06/2024, 18:03

240614-wmz75a1cjc 8

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/06/2024, 18:03

General

  • Target

    Axiom Free Temp.exe

  • Size

    168KB

  • MD5

    461a1663734d622fc49e4a03b17d284d

  • SHA1

    52505039993d7c19cc28debbaef474f5ab61c745

  • SHA256

    f55ff667003f1cb9794a487a925a6c86e9043fda46ec2ab30f8926fd5f509f59

  • SHA512

    b3c95a238ba90e72658cf2d0844f8d00dff13715110090d41031a15d0c35b082e857f5fdbc7c30deeda1164764f68bfa02fa4b89d522406c4b11b9dccca8b94d

  • SSDEEP

    3072:Lhnks0n7phfmxymej1ic0UmJTQSaMm5/6aoP1D:1tU/mxyhjGvWljoP1D

Score
1/10

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Axiom Free Temp.exe
    "C:\Users\Admin\AppData\Local\Temp\Axiom Free Temp.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3252
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c color 5
      2⤵
        PID:4476
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        2⤵
          PID:232
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls
          2⤵
            PID:2380
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            2⤵
              PID:4392
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              2⤵
                PID:4016
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3340
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic diskdrive get serialnumber
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3432
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c wmic bios get serialnumber
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1244
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic bios get serialnumber
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2516
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c wmic cpu get serialnumber
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2736
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic cpu get serialnumber
                  3⤵
                    PID:2132
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c wmic networkadapter get MACAddress
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:764
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic networkadapter get MACAddress
                    3⤵
                      PID:4860
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:2904

                  Network

                  MITRE ATT&CK Matrix

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads