Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 15:59

General

  • Target

    HSgsFS8.scr

  • Size

    154KB

  • MD5

    99e18204e672c7a0935c212ed5acc0c9

  • SHA1

    5672c6f3a599d93fb0ac3b52e71c25c2fb8ad78c

  • SHA256

    02695ef8781669fda33c683da4e1bb4c8081c6c4b11c3d1d381becc97b15ab59

  • SHA512

    e44b8f183d299d8bac1f856782bc360f016677cf7510e099569715288c4c2cb7313b19233056981f4252bf99b8a20c4d184e6e922f340437fb34c1bf55b3f66e

  • SSDEEP

    3072:gLsIxECLfTmcBWY1Q1Kj3YgRIHwiiI4T6dvf72mQAK0DuCEG8tSUT:ggK9x1EKLgdipTyvfXKFG8

Score
7/10

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HSgsFS8.scr
    "C:\Users\Admin\AppData\Local\Temp\HSgsFS8.scr" /S
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\SysWOW64\cmd.exe
      cmd /ktaskkill/IM iexplore.exe /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4736
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /IM iexplore.exe /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2272
    • C:\Windows\SysWOW64\cmd.exe
      cmd /ktaskkill/IM iexplore.exe /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3244
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /IM iexplore.exe /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4788
    • C:\Windows\SysWOW64\cmd.exe
      cmd /ktaskkill/IM firefox.exe /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /IM firefox.exe /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2280-0-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

  • memory/2280-1-0x0000000000A70000-0x0000000000A71000-memory.dmp

    Filesize

    4KB

  • memory/2280-2-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB