Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
11/07/2023, 06:41
Static task
static1
Behavioral task
behavioral1
Sample
e2b266d7117d94exeexeexeex.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
e2b266d7117d94exeexeexeex.exe
Resource
win10v2004-20230703-en
General
-
Target
e2b266d7117d94exeexeexeex.exe
-
Size
388KB
-
MD5
e2b266d7117d94a743d00394620f9f90
-
SHA1
a67ee901cc58b9e0ce45ec72b664607a2d4f3c64
-
SHA256
aa3f45eb07f4b549fee444e2b78418a4b6f3bfa5ecdcbac79f42ef0143fb32c8
-
SHA512
c9f1e9d3a790604b2a67c07e444e5433602eaafdd85942e8c747a99ebeec660497c2abab3eb0292c6f05154fbb7b7bcb96c031b8323547e87719aabfdea61b96
-
SSDEEP
12288:zplrVbDdQaqdS/ofraFErH8uB2Wm0SXsNr5FU:1xRQ+Fucuvm0as
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4368 thatcomes.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\library\thatcomes.exe e2b266d7117d94exeexeexeex.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4924 e2b266d7117d94exeexeexeex.exe 4924 e2b266d7117d94exeexeexeex.exe 4924 e2b266d7117d94exeexeexeex.exe 4924 e2b266d7117d94exeexeexeex.exe 4368 thatcomes.exe 4368 thatcomes.exe 4368 thatcomes.exe 4368 thatcomes.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4924 wrote to memory of 4368 4924 e2b266d7117d94exeexeexeex.exe 85 PID 4924 wrote to memory of 4368 4924 e2b266d7117d94exeexeexeex.exe 85 PID 4924 wrote to memory of 4368 4924 e2b266d7117d94exeexeexeex.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2b266d7117d94exeexeexeex.exe"C:\Users\Admin\AppData\Local\Temp\e2b266d7117d94exeexeexeex.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Program Files\library\thatcomes.exe"C:\Program Files\library\thatcomes.exe" "33201"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4368
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD5033101a3d87c27ba531e9146308e362d
SHA1e2c837ca3f73d9b3b012cc7e6b093bf74bf299c1
SHA256af4d81db8b2336bc821454b179a4f8e1e85fb470f0ab596b7e7ce8688fd9d2df
SHA512079f64fc8f6294b399e8598c75c701f58aa4540f8c43f5b2bcbfe57ae3345157d6138b67dd6c4f67423574c6abe5bbf9852a6a237204d00f9508ac0462348863
-
Filesize
388KB
MD5033101a3d87c27ba531e9146308e362d
SHA1e2c837ca3f73d9b3b012cc7e6b093bf74bf299c1
SHA256af4d81db8b2336bc821454b179a4f8e1e85fb470f0ab596b7e7ce8688fd9d2df
SHA512079f64fc8f6294b399e8598c75c701f58aa4540f8c43f5b2bcbfe57ae3345157d6138b67dd6c4f67423574c6abe5bbf9852a6a237204d00f9508ac0462348863