Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
85s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2023, 19:42
Static task
static1
Behavioral task
behavioral1
Sample
461180b3ab1aded7ac33480bd5cf687a148d916be9a40f13110c43644db9471b.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
461180b3ab1aded7ac33480bd5cf687a148d916be9a40f13110c43644db9471b.exe
Resource
win10v2004-20230221-en
General
-
Target
461180b3ab1aded7ac33480bd5cf687a148d916be9a40f13110c43644db9471b.exe
-
Size
2.7MB
-
MD5
d2e01a09a292bd4069ad14942a628bf2
-
SHA1
e32b7249f9e20e7305882bd6221aac0dee7a60c5
-
SHA256
461180b3ab1aded7ac33480bd5cf687a148d916be9a40f13110c43644db9471b
-
SHA512
c82b447ef5e5ea6f10188bd082cfae1674e4bb9c17218914b57673eddf042d643d5423a705d0318464a894252cab4f2cf4733660f1800cee00bb8bbcb084c66d
-
SSDEEP
49152:GRqJZYhFD5YhRkELN3T05OTgR97YF+ed:GRqJZY7aRkELNA5
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 ipinfo.io 26 ipinfo.io -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3644 461180b3ab1aded7ac33480bd5cf687a148d916be9a40f13110c43644db9471b.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3644 wrote to memory of 1392 3644 461180b3ab1aded7ac33480bd5cf687a148d916be9a40f13110c43644db9471b.exe 86 PID 3644 wrote to memory of 1392 3644 461180b3ab1aded7ac33480bd5cf687a148d916be9a40f13110c43644db9471b.exe 86 PID 3644 wrote to memory of 1392 3644 461180b3ab1aded7ac33480bd5cf687a148d916be9a40f13110c43644db9471b.exe 86 PID 1392 wrote to memory of 3160 1392 cmd.exe 90 PID 1392 wrote to memory of 3160 1392 cmd.exe 90 PID 1392 wrote to memory of 3160 1392 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\461180b3ab1aded7ac33480bd5cf687a148d916be9a40f13110c43644db9471b.exe"C:\Users\Admin\AppData\Local\Temp\461180b3ab1aded7ac33480bd5cf687a148d916be9a40f13110c43644db9471b.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tzutil /g2⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\tzutil.exetzutil /g3⤵PID:3160
-
-