Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2025, 18:37
Behavioral task
behavioral1
Sample
HacKed.facebooekexe.scr
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
HacKed.facebooekexe.scr
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
HacKed.facebookexe.scr
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
HacKed.facebookexe.scr
Resource
win10v2004-20241007-en
General
-
Target
HacKed.facebooekexe.scr
-
Size
235KB
-
MD5
b09e2e1281495fa1ee6d1dcdb12c3218
-
SHA1
71855f7712a915afc5e0c9823db288c936186323
-
SHA256
8786009a7fdfc83d7585aae40754a3d5c8230ccb33943e92e964dac02bf330ca
-
SHA512
fef2bcf896960056c5237f0513d91294706eb113497fe83fd4b03d2a5c47d57b012c905cecb5bfe0bf56c02d7af25e83f29b4d37d44e8c4c3dda6819d8127d9b
-
SSDEEP
6144:m+S79QUEtQ3B5A6Ci3joVGCRiBUkgCNN+uwwL:EZApxBRu1gCCud
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 2100 dw20.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2100 2488 HacKed.facebooekexe.scr 82 PID 2488 wrote to memory of 2100 2488 HacKed.facebooekexe.scr 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\HacKed.facebooekexe.scr"C:\Users\Admin\AppData\Local\Temp\HacKed.facebooekexe.scr" /S1⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 7522⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2100
-