Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-es -
resource tags
arch:x64arch:x86image:win10-20240404-eslocale:es-esos:windows10-1703-x64systemwindows -
submitted
04/07/2024, 13:34
Static task
static1
Behavioral task
behavioral1
Sample
image003 (1).gz
Resource
win10-20240404-es
windows10-1703-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
sample
Resource
win10-20240404-es
windows10-1703-x64
6 signatures
150 seconds
General
-
Target
sample
-
Size
62KB
-
MD5
f2abb72e07fc51c8df69e3191767a352
-
SHA1
4f345efc1fcf9378141338da44ed33dd443b10d3
-
SHA256
06937bd322757570c195658d4fd3e7ef99769b9fde05ba97bb9f1e558ecf3e58
-
SHA512
1760203801ec19074f1bc76df24e113c9dc38b2c88106881313a394a3ef8ccf0dcbf0574dfadf15665ceb5b7be396fda5fe06fb0974e6f9e27769b976b6dbe27
-
SSDEEP
192:qtqHbyXlly0URbrGHANMIlpfGK7Q5Nf86kxCMME9Vkf5dw2tffvIFPgZFNHM:qtq7yXlcxbrtiIlx3HIrw2t/Ius
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1892 taskmgr.exe Token: SeSystemProfilePrivilege 1892 taskmgr.exe Token: SeCreateGlobalPrivilege 1892 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe 1892 taskmgr.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\sample1⤵PID:216
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1892