Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2022, 20:07 UTC
Static task
static1
Behavioral task
behavioral1
Sample
7131ebcd1f440662a98eeafa5265ac19ba853d3159094223be16139464f67ddd.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7131ebcd1f440662a98eeafa5265ac19ba853d3159094223be16139464f67ddd.exe
Resource
win10v2004-20220812-en
General
-
Target
7131ebcd1f440662a98eeafa5265ac19ba853d3159094223be16139464f67ddd.exe
-
Size
61KB
-
MD5
012617c73eadb4a6f4b8accc6e8e2e30
-
SHA1
416d74ce749cba2e58d4e4eea10e0ed496683039
-
SHA256
7131ebcd1f440662a98eeafa5265ac19ba853d3159094223be16139464f67ddd
-
SHA512
d64b2bc0ec00b758f69473709b1431dcfa98713017f5ee45edfa5c6d6be858402c1104e661db91731830b639c062b22bd9eb76ae4e0dcce7561347ad6fcd8528
-
SSDEEP
1536:LPk2JFBYdLxq1KiULHN103ksGIHG9kNo:7kLmULHfOW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4492 $TMP!10@.COM -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4204 wrote to memory of 4668 4204 7131ebcd1f440662a98eeafa5265ac19ba853d3159094223be16139464f67ddd.exe 82 PID 4204 wrote to memory of 4668 4204 7131ebcd1f440662a98eeafa5265ac19ba853d3159094223be16139464f67ddd.exe 82 PID 4204 wrote to memory of 4668 4204 7131ebcd1f440662a98eeafa5265ac19ba853d3159094223be16139464f67ddd.exe 82 PID 4668 wrote to memory of 4492 4668 cmd.exe 83 PID 4668 wrote to memory of 4492 4668 cmd.exe 83 PID 4668 wrote to memory of 4492 4668 cmd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\7131ebcd1f440662a98eeafa5265ac19ba853d3159094223be16139464f67ddd.exe"C:\Users\Admin\AppData\Local\Temp\7131ebcd1f440662a98eeafa5265ac19ba853d3159094223be16139464f67ddd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c $TMP!10@.COM2⤵
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Users\Admin\AppData\Local\Temp\$TMP!10@.COM$TMP!10@.COM3⤵
- Executes dropped EXE
PID:4492
-
-
Network
-
Remote address:8.8.8.8:53Request97.97.242.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestf.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpaIN PTRResponse
-
46 B 40 B 1 1
-
46 B 40 B 1 1
-
322 B 7
-
260 B 5
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD50fe19bf2398da6449438b5c025ee3b9f
SHA1fe78c8d7906c43abdfa5fa3ad8f0291a2d599be5
SHA256795aa9b09d6c577b2e13ef16a787b2eb48b28f277ebd8622a06f1429e36fa814
SHA512caf7c0f4fb5c082c49f854aaeaeb0dcd12231a1532427ea926db5bec9689fa24795de7d859e7ad5f64e781cd38622d7cf33449e6f1887f595443d5d733ab22bc
-
Filesize
61KB
MD50fe19bf2398da6449438b5c025ee3b9f
SHA1fe78c8d7906c43abdfa5fa3ad8f0291a2d599be5
SHA256795aa9b09d6c577b2e13ef16a787b2eb48b28f277ebd8622a06f1429e36fa814
SHA512caf7c0f4fb5c082c49f854aaeaeb0dcd12231a1532427ea926db5bec9689fa24795de7d859e7ad5f64e781cd38622d7cf33449e6f1887f595443d5d733ab22bc