Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 15:59
Behavioral task
behavioral1
Sample
HSgsFS8.scr
Resource
win7-20240704-en
5 signatures
150 seconds
General
-
Target
HSgsFS8.scr
-
Size
154KB
-
MD5
99e18204e672c7a0935c212ed5acc0c9
-
SHA1
5672c6f3a599d93fb0ac3b52e71c25c2fb8ad78c
-
SHA256
02695ef8781669fda33c683da4e1bb4c8081c6c4b11c3d1d381becc97b15ab59
-
SHA512
e44b8f183d299d8bac1f856782bc360f016677cf7510e099569715288c4c2cb7313b19233056981f4252bf99b8a20c4d184e6e922f340437fb34c1bf55b3f66e
-
SSDEEP
3072:gLsIxECLfTmcBWY1Q1Kj3YgRIHwiiI4T6dvf72mQAK0DuCEG8tSUT:ggK9x1EKLgdipTyvfXKFG8
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2280-0-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/2280-2-0x0000000000400000-0x0000000000469000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HSgsFS8.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Kills process with taskkill 3 IoCs
pid Process 2272 taskkill.exe 4788 taskkill.exe 4240 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4788 taskkill.exe Token: SeDebugPrivilege 4240 taskkill.exe Token: SeDebugPrivilege 2272 taskkill.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2280 wrote to memory of 4736 2280 HSgsFS8.scr 82 PID 2280 wrote to memory of 4736 2280 HSgsFS8.scr 82 PID 2280 wrote to memory of 4736 2280 HSgsFS8.scr 82 PID 2280 wrote to memory of 3244 2280 HSgsFS8.scr 83 PID 2280 wrote to memory of 3244 2280 HSgsFS8.scr 83 PID 2280 wrote to memory of 3244 2280 HSgsFS8.scr 83 PID 2280 wrote to memory of 920 2280 HSgsFS8.scr 84 PID 2280 wrote to memory of 920 2280 HSgsFS8.scr 84 PID 2280 wrote to memory of 920 2280 HSgsFS8.scr 84 PID 3244 wrote to memory of 4788 3244 cmd.exe 88 PID 3244 wrote to memory of 4788 3244 cmd.exe 88 PID 3244 wrote to memory of 4788 3244 cmd.exe 88 PID 4736 wrote to memory of 2272 4736 cmd.exe 89 PID 4736 wrote to memory of 2272 4736 cmd.exe 89 PID 4736 wrote to memory of 2272 4736 cmd.exe 89 PID 920 wrote to memory of 4240 920 cmd.exe 90 PID 920 wrote to memory of 4240 920 cmd.exe 90 PID 920 wrote to memory of 4240 920 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\HSgsFS8.scr"C:\Users\Admin\AppData\Local\Temp\HSgsFS8.scr" /S1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\cmd.execmd /ktaskkill/IM iexplore.exe /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM iexplore.exe /F3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
-
C:\Windows\SysWOW64\cmd.execmd /ktaskkill/IM iexplore.exe /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM iexplore.exe /F3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /ktaskkill/IM firefox.exe /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM firefox.exe /F3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4240
-
-