Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2023, 02:53
Behavioral task
behavioral1
Sample
56ee3ebf7adc4de6393bcbc27ae235e9.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
56ee3ebf7adc4de6393bcbc27ae235e9.exe
Resource
win10v2004-20231215-en
General
-
Target
56ee3ebf7adc4de6393bcbc27ae235e9.exe
-
Size
2.4MB
-
MD5
56ee3ebf7adc4de6393bcbc27ae235e9
-
SHA1
da74cd6437d4cf62d4244df8516b3d5fa6b69bf8
-
SHA256
da4d05334c6e7cc8ef2251d0dc9ab45f0d8174a32a46c8fae20615cf7dd43a8d
-
SHA512
d895a0e99d50621c9ffd187e66b4aa59a8f06f4277fc5e14ec0ae731cd13760a8fb128dfe59f3d36fd93aaf68573b2ed0da4b2e34a0e4e070036e7d81260b33e
-
SSDEEP
49152:Ezb1pENOTfnkmvx3pDKIzWik7JsbRPP4M338dB2IBlGuuDVUsdxxjr:4E0bJ9Kak7qbRPgg3gnl/IVUs1jr
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4340 56ee3ebf7adc4de6393bcbc27ae235e9.exe -
Executes dropped EXE 1 IoCs
pid Process 4340 56ee3ebf7adc4de6393bcbc27ae235e9.exe -
resource yara_rule behavioral2/memory/1652-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x000600000002324b-11.dat upx behavioral2/memory/4340-13-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1652 56ee3ebf7adc4de6393bcbc27ae235e9.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1652 56ee3ebf7adc4de6393bcbc27ae235e9.exe 4340 56ee3ebf7adc4de6393bcbc27ae235e9.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1652 wrote to memory of 4340 1652 56ee3ebf7adc4de6393bcbc27ae235e9.exe 90 PID 1652 wrote to memory of 4340 1652 56ee3ebf7adc4de6393bcbc27ae235e9.exe 90 PID 1652 wrote to memory of 4340 1652 56ee3ebf7adc4de6393bcbc27ae235e9.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\56ee3ebf7adc4de6393bcbc27ae235e9.exe"C:\Users\Admin\AppData\Local\Temp\56ee3ebf7adc4de6393bcbc27ae235e9.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\56ee3ebf7adc4de6393bcbc27ae235e9.exeC:\Users\Admin\AppData\Local\Temp\56ee3ebf7adc4de6393bcbc27ae235e9.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4340
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5794ee847a26f6cd95e3c62050a31b586
SHA1c327d4bf73e151df59a17b54b7c7b949c298ad9c
SHA256163187237b9a68487ba0b5ef2c1147b4345eff22cd6b867e0c7b9cff9a3b58fb
SHA5125b8852e4463b7e97f7bad39c8d036fe7ab774c719b147f5dc11e1a2da498ff869a3a51bb74eb71f92ed630d342dfe12120380cd50c758c305a78ad0d3f7b37cc