Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14/06/2024, 18:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Axiom Free Temp.exe
Resource
win7-20240508-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
Axiom Free Temp.exe
Resource
win10v2004-20240611-en
3 signatures
150 seconds
General
-
Target
Axiom Free Temp.exe
-
Size
168KB
-
MD5
461a1663734d622fc49e4a03b17d284d
-
SHA1
52505039993d7c19cc28debbaef474f5ab61c745
-
SHA256
f55ff667003f1cb9794a487a925a6c86e9043fda46ec2ab30f8926fd5f509f59
-
SHA512
b3c95a238ba90e72658cf2d0844f8d00dff13715110090d41031a15d0c35b082e857f5fdbc7c30deeda1164764f68bfa02fa4b89d522406c4b11b9dccca8b94d
-
SSDEEP
3072:Lhnks0n7phfmxymej1ic0UmJTQSaMm5/6aoP1D:1tU/mxyhjGvWljoP1D
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3432 WMIC.exe Token: SeSecurityPrivilege 3432 WMIC.exe Token: SeTakeOwnershipPrivilege 3432 WMIC.exe Token: SeLoadDriverPrivilege 3432 WMIC.exe Token: SeSystemProfilePrivilege 3432 WMIC.exe Token: SeSystemtimePrivilege 3432 WMIC.exe Token: SeProfSingleProcessPrivilege 3432 WMIC.exe Token: SeIncBasePriorityPrivilege 3432 WMIC.exe Token: SeCreatePagefilePrivilege 3432 WMIC.exe Token: SeBackupPrivilege 3432 WMIC.exe Token: SeRestorePrivilege 3432 WMIC.exe Token: SeShutdownPrivilege 3432 WMIC.exe Token: SeDebugPrivilege 3432 WMIC.exe Token: SeSystemEnvironmentPrivilege 3432 WMIC.exe Token: SeRemoteShutdownPrivilege 3432 WMIC.exe Token: SeUndockPrivilege 3432 WMIC.exe Token: SeManageVolumePrivilege 3432 WMIC.exe Token: 33 3432 WMIC.exe Token: 34 3432 WMIC.exe Token: 35 3432 WMIC.exe Token: 36 3432 WMIC.exe Token: SeIncreaseQuotaPrivilege 3432 WMIC.exe Token: SeSecurityPrivilege 3432 WMIC.exe Token: SeTakeOwnershipPrivilege 3432 WMIC.exe Token: SeLoadDriverPrivilege 3432 WMIC.exe Token: SeSystemProfilePrivilege 3432 WMIC.exe Token: SeSystemtimePrivilege 3432 WMIC.exe Token: SeProfSingleProcessPrivilege 3432 WMIC.exe Token: SeIncBasePriorityPrivilege 3432 WMIC.exe Token: SeCreatePagefilePrivilege 3432 WMIC.exe Token: SeBackupPrivilege 3432 WMIC.exe Token: SeRestorePrivilege 3432 WMIC.exe Token: SeShutdownPrivilege 3432 WMIC.exe Token: SeDebugPrivilege 3432 WMIC.exe Token: SeSystemEnvironmentPrivilege 3432 WMIC.exe Token: SeRemoteShutdownPrivilege 3432 WMIC.exe Token: SeUndockPrivilege 3432 WMIC.exe Token: SeManageVolumePrivilege 3432 WMIC.exe Token: 33 3432 WMIC.exe Token: 34 3432 WMIC.exe Token: 35 3432 WMIC.exe Token: 36 3432 WMIC.exe Token: SeIncreaseQuotaPrivilege 2516 WMIC.exe Token: SeSecurityPrivilege 2516 WMIC.exe Token: SeTakeOwnershipPrivilege 2516 WMIC.exe Token: SeLoadDriverPrivilege 2516 WMIC.exe Token: SeSystemProfilePrivilege 2516 WMIC.exe Token: SeSystemtimePrivilege 2516 WMIC.exe Token: SeProfSingleProcessPrivilege 2516 WMIC.exe Token: SeIncBasePriorityPrivilege 2516 WMIC.exe Token: SeCreatePagefilePrivilege 2516 WMIC.exe Token: SeBackupPrivilege 2516 WMIC.exe Token: SeRestorePrivilege 2516 WMIC.exe Token: SeShutdownPrivilege 2516 WMIC.exe Token: SeDebugPrivilege 2516 WMIC.exe Token: SeSystemEnvironmentPrivilege 2516 WMIC.exe Token: SeRemoteShutdownPrivilege 2516 WMIC.exe Token: SeUndockPrivilege 2516 WMIC.exe Token: SeManageVolumePrivilege 2516 WMIC.exe Token: 33 2516 WMIC.exe Token: 34 2516 WMIC.exe Token: 35 2516 WMIC.exe Token: 36 2516 WMIC.exe Token: SeIncreaseQuotaPrivilege 2516 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3252 Axiom Free Temp.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3252 wrote to memory of 4476 3252 Axiom Free Temp.exe 84 PID 3252 wrote to memory of 4476 3252 Axiom Free Temp.exe 84 PID 3252 wrote to memory of 232 3252 Axiom Free Temp.exe 85 PID 3252 wrote to memory of 232 3252 Axiom Free Temp.exe 85 PID 3252 wrote to memory of 2380 3252 Axiom Free Temp.exe 89 PID 3252 wrote to memory of 2380 3252 Axiom Free Temp.exe 89 PID 3252 wrote to memory of 4392 3252 Axiom Free Temp.exe 90 PID 3252 wrote to memory of 4392 3252 Axiom Free Temp.exe 90 PID 3252 wrote to memory of 4016 3252 Axiom Free Temp.exe 91 PID 3252 wrote to memory of 4016 3252 Axiom Free Temp.exe 91 PID 3252 wrote to memory of 3340 3252 Axiom Free Temp.exe 92 PID 3252 wrote to memory of 3340 3252 Axiom Free Temp.exe 92 PID 3340 wrote to memory of 3432 3340 cmd.exe 93 PID 3340 wrote to memory of 3432 3340 cmd.exe 93 PID 3252 wrote to memory of 1244 3252 Axiom Free Temp.exe 95 PID 3252 wrote to memory of 1244 3252 Axiom Free Temp.exe 95 PID 1244 wrote to memory of 2516 1244 cmd.exe 96 PID 1244 wrote to memory of 2516 1244 cmd.exe 96 PID 3252 wrote to memory of 2736 3252 Axiom Free Temp.exe 97 PID 3252 wrote to memory of 2736 3252 Axiom Free Temp.exe 97 PID 2736 wrote to memory of 2132 2736 cmd.exe 98 PID 2736 wrote to memory of 2132 2736 cmd.exe 98 PID 3252 wrote to memory of 764 3252 Axiom Free Temp.exe 99 PID 3252 wrote to memory of 764 3252 Axiom Free Temp.exe 99 PID 764 wrote to memory of 4860 764 cmd.exe 100 PID 764 wrote to memory of 4860 764 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\Axiom Free Temp.exe"C:\Users\Admin\AppData\Local\Temp\Axiom Free Temp.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 52⤵PID:4476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber2⤵
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic bios get serialnumber2⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic cpu get serialnumber2⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get serialnumber3⤵PID:2132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic networkadapter get MACAddress2⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\System32\Wbem\WMIC.exewmic networkadapter get MACAddress3⤵PID:4860
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2904