Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 14:48
Behavioral task
behavioral1
Sample
student.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
General
-
Target
student.exe
-
Size
16.4MB
-
MD5
16008a18ed602a629d889297a7c3c932
-
SHA1
cdf29db97bdd80d0cd3054a2888d51ecb4c815fd
-
SHA256
f804f5ee8d450c144a5abd2ab8524c7bdec83a4ebdd3720c0ad4e1cf5411e8bc
-
SHA512
13f43c46b2971f4aa0e4172ee6e0c9e1769dd8c1ac9821f2be146a260a1bc821e912ebc7a0fad073bb902e4e4ceccea1e52e06eb9524dbe06d61441b445fc8c6
-
SSDEEP
393216:+65xokU8YXfusOWMXY2eTE5VkH/VJS3bon2kK:fsPPus6X2gO9JS3O21
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4364-0-0x00000000002B0000-0x000000000239C000-memory.dmp upx behavioral2/memory/4364-8-0x00000000002B0000-0x000000000239C000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4364-8-0x00000000002B0000-0x000000000239C000-memory.dmp autoit_exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language student.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 1792 msiexec.exe Token: SeIncreaseQuotaPrivilege 1792 msiexec.exe Token: SeSecurityPrivilege 3672 msiexec.exe Token: SeCreateTokenPrivilege 1792 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1792 msiexec.exe Token: SeLockMemoryPrivilege 1792 msiexec.exe Token: SeIncreaseQuotaPrivilege 1792 msiexec.exe Token: SeMachineAccountPrivilege 1792 msiexec.exe Token: SeTcbPrivilege 1792 msiexec.exe Token: SeSecurityPrivilege 1792 msiexec.exe Token: SeTakeOwnershipPrivilege 1792 msiexec.exe Token: SeLoadDriverPrivilege 1792 msiexec.exe Token: SeSystemProfilePrivilege 1792 msiexec.exe Token: SeSystemtimePrivilege 1792 msiexec.exe Token: SeProfSingleProcessPrivilege 1792 msiexec.exe Token: SeIncBasePriorityPrivilege 1792 msiexec.exe Token: SeCreatePagefilePrivilege 1792 msiexec.exe Token: SeCreatePermanentPrivilege 1792 msiexec.exe Token: SeBackupPrivilege 1792 msiexec.exe Token: SeRestorePrivilege 1792 msiexec.exe Token: SeShutdownPrivilege 1792 msiexec.exe Token: SeDebugPrivilege 1792 msiexec.exe Token: SeAuditPrivilege 1792 msiexec.exe Token: SeSystemEnvironmentPrivilege 1792 msiexec.exe Token: SeChangeNotifyPrivilege 1792 msiexec.exe Token: SeRemoteShutdownPrivilege 1792 msiexec.exe Token: SeUndockPrivilege 1792 msiexec.exe Token: SeSyncAgentPrivilege 1792 msiexec.exe Token: SeEnableDelegationPrivilege 1792 msiexec.exe Token: SeManageVolumePrivilege 1792 msiexec.exe Token: SeImpersonatePrivilege 1792 msiexec.exe Token: SeCreateGlobalPrivilege 1792 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1792 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4364 wrote to memory of 1792 4364 student.exe 84 PID 4364 wrote to memory of 1792 4364 student.exe 84 PID 4364 wrote to memory of 1792 4364 student.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\student.exe"C:\Users\Admin\AppData\Local\Temp\student.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i c:\windows\temp\Student.msi TRANSFORMS=":zh-cn.mst" SCREENDRIVER=1 RUNBYSERVICE=12⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1792
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.0MB
MD5bd2bf4af2aaecee2917a3e55353a90fb
SHA19c819f5db18bcdf767391b3b8e2fd490c4e3435d
SHA25687880be8b0bda7a682535769f910fa90e3c7e62cbc49d366e2987d16fec51d16
SHA5120d780523e4ff7d17a9d94577ad47d3ed248692d09a3cf603f2acae281b46f2864479d741327bff2109aa327ebcb22fb601e972d82a05dca130bacc1427117692