Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
288s -
max time network
304s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 06:10
Static task
static1
Behavioral task
behavioral1
Sample
0be0502ab5b10f04a669b3f58f3f9cf468306102521201802ac2ffbfe4b55abb.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0be0502ab5b10f04a669b3f58f3f9cf468306102521201802ac2ffbfe4b55abb.exe
Resource
win10v2004-20221111-en
General
-
Target
0be0502ab5b10f04a669b3f58f3f9cf468306102521201802ac2ffbfe4b55abb.exe
-
Size
4.5MB
-
MD5
0e64e281c8c4c6811872efd5f6eee68a
-
SHA1
9e710d40a0e189cb1817278ee29a76e37183b13d
-
SHA256
0be0502ab5b10f04a669b3f58f3f9cf468306102521201802ac2ffbfe4b55abb
-
SHA512
8d27b4be65cef5dca80cfc6cf17b334efc7d930488f3385d8c12d40fa87a51644819b36b8af80deea08c634cc22c7d672300b135abae6aeda70f06abece192fc
-
SSDEEP
98304:YjX2TR/+9g+1wLgJf6PD3Nmn7AJEgLYXMKUCCCNYzQEr0WO0Yk84p1bFmL1OVYIl:V1+vJiPD3Nm7AJEgLYX8CNYzQEr0WO0Z
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\CXVYYOKJ\hosts 0be0502abXFER.exe -
Executes dropped EXE 1 IoCs
pid Process 2104 0be0502abXFER.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 4936 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2104 0be0502abXFER.exe 2104 0be0502abXFER.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2104 0be0502abXFER.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4500 wrote to memory of 2104 4500 0be0502ab5b10f04a669b3f58f3f9cf468306102521201802ac2ffbfe4b55abb.exe 80 PID 4500 wrote to memory of 2104 4500 0be0502ab5b10f04a669b3f58f3f9cf468306102521201802ac2ffbfe4b55abb.exe 80 PID 4500 wrote to memory of 2104 4500 0be0502ab5b10f04a669b3f58f3f9cf468306102521201802ac2ffbfe4b55abb.exe 80 PID 2104 wrote to memory of 2288 2104 0be0502abXFER.exe 81 PID 2104 wrote to memory of 2288 2104 0be0502abXFER.exe 81 PID 2104 wrote to memory of 2288 2104 0be0502abXFER.exe 81 PID 2288 wrote to memory of 4936 2288 cmd.exe 85 PID 2288 wrote to memory of 4936 2288 cmd.exe 85 PID 2288 wrote to memory of 4936 2288 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\0be0502ab5b10f04a669b3f58f3f9cf468306102521201802ac2ffbfe4b55abb.exe"C:\Users\Admin\AppData\Local\Temp\0be0502ab5b10f04a669b3f58f3f9cf468306102521201802ac2ffbfe4b55abb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\0be0502abXFER.exe-yue2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\cmd.execmd /c ipconfig /flushdns3⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns4⤵
- Gathers network information
PID:4936
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD5363dce13443ee8f1d235e6950ab608f6
SHA153f2cb1eafa7741e8b05d6f48bd7d86b2b0baebe
SHA2567e80f58a8d6a5332efcd7a3f38ba6cafd8117ab9964cb98e585d5d3163f1f3bd
SHA51239e7fcfee375b209d7729c97fffd540c60960ae54ff076ee00f6711d6ead347e7aa96cadd0182649a6772f0fdb31f37b74e7580187833c37b84dbce9a6672ca3
-
Filesize
4.5MB
MD5363dce13443ee8f1d235e6950ab608f6
SHA153f2cb1eafa7741e8b05d6f48bd7d86b2b0baebe
SHA2567e80f58a8d6a5332efcd7a3f38ba6cafd8117ab9964cb98e585d5d3163f1f3bd
SHA51239e7fcfee375b209d7729c97fffd540c60960ae54ff076ee00f6711d6ead347e7aa96cadd0182649a6772f0fdb31f37b74e7580187833c37b84dbce9a6672ca3