Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 14:48

General

  • Target

    student.exe

  • Size

    16.4MB

  • MD5

    16008a18ed602a629d889297a7c3c932

  • SHA1

    cdf29db97bdd80d0cd3054a2888d51ecb4c815fd

  • SHA256

    f804f5ee8d450c144a5abd2ab8524c7bdec83a4ebdd3720c0ad4e1cf5411e8bc

  • SHA512

    13f43c46b2971f4aa0e4172ee6e0c9e1769dd8c1ac9821f2be146a260a1bc821e912ebc7a0fad073bb902e4e4ceccea1e52e06eb9524dbe06d61441b445fc8c6

  • SSDEEP

    393216:+65xokU8YXfusOWMXY2eTE5VkH/VJS3bon2kK:fsPPus6X2gO9JS3O21

Score
7/10

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\student.exe
    "C:\Users\Admin\AppData\Local\Temp\student.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe /i c:\windows\temp\Student.msi TRANSFORMS=":zh-cn.mst" SCREENDRIVER=1 RUNBYSERVICE=1
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1792
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\autD590.tmp

    Filesize

    16.0MB

    MD5

    bd2bf4af2aaecee2917a3e55353a90fb

    SHA1

    9c819f5db18bcdf767391b3b8e2fd490c4e3435d

    SHA256

    87880be8b0bda7a682535769f910fa90e3c7e62cbc49d366e2987d16fec51d16

    SHA512

    0d780523e4ff7d17a9d94577ad47d3ed248692d09a3cf603f2acae281b46f2864479d741327bff2109aa327ebcb22fb601e972d82a05dca130bacc1427117692

  • memory/4364-0-0x00000000002B0000-0x000000000239C000-memory.dmp

    Filesize

    32.9MB

  • memory/4364-8-0x00000000002B0000-0x000000000239C000-memory.dmp

    Filesize

    32.9MB