Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 05:04
Static task
static1
Behavioral task
behavioral1
Sample
PZI_R5P92.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
PZI_R5P92.exe
Resource
win10v2004-20240709-en
General
-
Target
PZI_R5P92.exe
-
Size
123KB
-
MD5
671d98a5b272d01c604d57f925318c04
-
SHA1
4198c3513259a401a9e459cf73a6d0a9097ab525
-
SHA256
188006f5267e1ef35fcff67ab8d013cb95f72e3f450861500da60ef5c969a346
-
SHA512
dddf1ca71f1c6943dba2cdf1e2355fb2b4c7d64ea8aeef6217d4bedc7b7cbdae1910e3acfa97801d4f6ef71ca8c1fd3b250af94f546d86e057bda0a1b6a2a162
-
SSDEEP
3072:Zk6LYvJhtPwcP49AGlJ6ZYtQhQg2SCf38CVjqsyGIwhKfzOC334chqDIq/ZigP:26MxhpwFeG36mN8NDLrZU0IZigP
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 PZI_R5P92.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 1168 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1168 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2564 wrote to memory of 5080 2564 PZI_R5P92.exe 88 PID 2564 wrote to memory of 5080 2564 PZI_R5P92.exe 88 PID 2564 wrote to memory of 5080 2564 PZI_R5P92.exe 88 PID 5080 wrote to memory of 264 5080 cmd.exe 89 PID 5080 wrote to memory of 264 5080 cmd.exe 89 PID 5080 wrote to memory of 264 5080 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\PZI_R5P92.exe"C:\Users\Admin\AppData\Local\Temp\PZI_R5P92.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /f takeown /f C:WindowsSystem32 >nul && icacls C:WindowsSystem32 /grant "%username%:F" >nul2⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\cmd.execmd.exe /f takeown /f C:WindowsSystem323⤵PID:264
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e8 0x4ec1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168