Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2023, 22:24
Static task
static1
Behavioral task
behavioral1
Sample
e3277d8b1a93642890921c19cd74479fb1d165ba917d87fcf48f062705c2e9a8.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
e3277d8b1a93642890921c19cd74479fb1d165ba917d87fcf48f062705c2e9a8.exe
Resource
win10v2004-20230915-en
General
-
Target
e3277d8b1a93642890921c19cd74479fb1d165ba917d87fcf48f062705c2e9a8.exe
-
Size
2.2MB
-
MD5
3135d14f9bbfd3e88aa95af4c5b32b7b
-
SHA1
9c90bde8bc99cad62838ed2505e3988e0132baa3
-
SHA256
e3277d8b1a93642890921c19cd74479fb1d165ba917d87fcf48f062705c2e9a8
-
SHA512
3d119f5d7709e6a3ea7963b429ec24da9d44a2fd9e57c997ecec093423d270cd358391fc800092b63ff8d187c26d54dab92aeeeb3feaa6302dbbdf3f9f2ceb17
-
SSDEEP
49152:UJGiBYymwlLKEbatSN/FBMjg24BDj2jhA9DQ65nR5d:UIiBYyRwtSpkCj2jhApH5d
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 636 rundll32.exe 1036 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4480 wrote to memory of 2200 4480 e3277d8b1a93642890921c19cd74479fb1d165ba917d87fcf48f062705c2e9a8.exe 85 PID 4480 wrote to memory of 2200 4480 e3277d8b1a93642890921c19cd74479fb1d165ba917d87fcf48f062705c2e9a8.exe 85 PID 4480 wrote to memory of 2200 4480 e3277d8b1a93642890921c19cd74479fb1d165ba917d87fcf48f062705c2e9a8.exe 85 PID 2200 wrote to memory of 4180 2200 cmd.exe 88 PID 2200 wrote to memory of 4180 2200 cmd.exe 88 PID 2200 wrote to memory of 4180 2200 cmd.exe 88 PID 4180 wrote to memory of 636 4180 control.exe 89 PID 4180 wrote to memory of 636 4180 control.exe 89 PID 4180 wrote to memory of 636 4180 control.exe 89 PID 636 wrote to memory of 4740 636 rundll32.exe 90 PID 636 wrote to memory of 4740 636 rundll32.exe 90 PID 4740 wrote to memory of 1036 4740 RunDll32.exe 91 PID 4740 wrote to memory of 1036 4740 RunDll32.exe 91 PID 4740 wrote to memory of 1036 4740 RunDll32.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3277d8b1a93642890921c19cd74479fb1d165ba917d87fcf48f062705c2e9a8.exe"C:\Users\Admin\AppData\Local\Temp\e3277d8b1a93642890921c19cd74479fb1d165ba917d87fcf48f062705c2e9a8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c .\UWhcMJp.CMd2⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\control.exeConTRoL.EXE "C:\Users\Admin\AppData\Local\Temp\7zS0814C247\Qg568.4~"3⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS0814C247\Qg568.4~"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS0814C247\Qg568.4~"5⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7zS0814C247\Qg568.4~"6⤵
- Loads dropped DLL
PID:1036
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD589321d8101d3e35f525c0e7aaa7f6eea
SHA12810f06c99cc8f17bc397bceae36eb61dc201243
SHA256e0a7a72da3e9dba38742f81779b5cbdd5e080dee616d30f97cbd0a840ac204c7
SHA512d69020664a4e5a5b80ec8cd41f1f423ec030a3f55d89d6cbd1d18bc92f7aa18959a904918b32d01c5e1b9a2c709f843842a550f025ec89b9cb4bd0a4c2e76277
-
Filesize
2.3MB
MD589321d8101d3e35f525c0e7aaa7f6eea
SHA12810f06c99cc8f17bc397bceae36eb61dc201243
SHA256e0a7a72da3e9dba38742f81779b5cbdd5e080dee616d30f97cbd0a840ac204c7
SHA512d69020664a4e5a5b80ec8cd41f1f423ec030a3f55d89d6cbd1d18bc92f7aa18959a904918b32d01c5e1b9a2c709f843842a550f025ec89b9cb4bd0a4c2e76277
-
Filesize
2.3MB
MD589321d8101d3e35f525c0e7aaa7f6eea
SHA12810f06c99cc8f17bc397bceae36eb61dc201243
SHA256e0a7a72da3e9dba38742f81779b5cbdd5e080dee616d30f97cbd0a840ac204c7
SHA512d69020664a4e5a5b80ec8cd41f1f423ec030a3f55d89d6cbd1d18bc92f7aa18959a904918b32d01c5e1b9a2c709f843842a550f025ec89b9cb4bd0a4c2e76277
-
Filesize
30B
MD5f9676e2c3e356c8efce1fd7861d04e8b
SHA1306dbbd42bcf66a604cb3c8e339ea70e8cfe85bb
SHA256cd2ed964702f02e1a7b9538fc5ad99b6a1ad667f62b2f4a8169d6f19a1bc24ab
SHA512f2d1860deddb6e208635072b1ca028003204250aae488c59844f6823e3998a87513058cad9c4cddbfdacbd987700031ed7e0554ec2b26391204c5be61752aa93