Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
16/06/2024, 01:06 UTC
Static task
static1
Behavioral task
behavioral1
Sample
3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76.exe
Resource
win10v2004-20240611-en
General
-
Target
3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76.exe
-
Size
702KB
-
MD5
5f53734c5153ec3dd61e2a732a2ff03f
-
SHA1
0dcfceaced0f4063af2e93cea48348b801fd0435
-
SHA256
3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76
-
SHA512
17e6b58d604e2e81385fe1e82a8d5f8eafeb1a0b749280db4010158e2acb6bd516f0c5de68d9d7aa9c509a68d3cdc2a4a21623c6dda4dd2563cfd75e1a723e0f
-
SSDEEP
12288:DdKDeq1eaihwIgHYzVQKS6f4oXjXoFGXFJ1406jowEq9+NPn7NiaswNF:YDplihwIgHYzVQWjd1J1zNMg
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EvilDriver\ImagePath = "\\??\\C:\\Driver2030.sys" 3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2872 1972 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1972 3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76.exe 1972 3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1972 3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLoadDriverPrivilege 1972 3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76.exe"C:\Users\Admin\AppData\Local\Temp\3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76.exe"1⤵
- Sets service image path in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 12442⤵
- Program crash
PID:2872
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1972 -ip 19721⤵PID:4592
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4088,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:81⤵PID:3288
Network
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request72.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request107.12.20.2.in-addr.arpaIN PTRResponse107.12.20.2.in-addr.arpaIN PTRa2-20-12-107deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request107.12.20.2.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request203.107.17.2.in-addr.arpaIN PTRResponse203.107.17.2.in-addr.arpaIN PTRa2-17-107-203deploystaticakamaitechnologiescom
-
260 B 200 B 5 5
-
71 B 157 B 1 1
DNS Request
72.32.126.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
140 B 133 B 2 1
DNS Request
107.12.20.2.in-addr.arpa
DNS Request
107.12.20.2.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
203.107.17.2.in-addr.arpa