Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2023, 13:19
Behavioral task
behavioral1
Sample
9ee4059d1c9ae9597e4623aa54eac9af.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9ee4059d1c9ae9597e4623aa54eac9af.exe
Resource
win10v2004-20231215-en
General
-
Target
9ee4059d1c9ae9597e4623aa54eac9af.exe
-
Size
1.3MB
-
MD5
9ee4059d1c9ae9597e4623aa54eac9af
-
SHA1
a6a8f547cfb9c2eaa21651cd90ec17b7b6065c80
-
SHA256
c6eaebad13292d911cf4aa9b576d4f6d56ee7132ff1d425eae109de557f9152f
-
SHA512
71ece6adf20fdb553981a0b5880f3abcfdf8c6a94049eec800a215e543834a95d31082e3dc8f93cc1f387298a02282c7c83f04ce356bf55b63dafc2830179033
-
SSDEEP
24576:gQOJ5rL4avAzWXNVCQG4QWaTli9cNSFlIjpjpKj1RjVb2bUj8Kr0vG:2dLR3VFmJidFlQNKBLAo8K
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2964 9ee4059d1c9ae9597e4623aa54eac9af.exe -
Executes dropped EXE 1 IoCs
pid Process 2964 9ee4059d1c9ae9597e4623aa54eac9af.exe -
resource yara_rule behavioral2/memory/564-0-0x0000000000400000-0x000000000086A000-memory.dmp upx behavioral2/files/0x0009000000023221-12.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 564 9ee4059d1c9ae9597e4623aa54eac9af.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 564 9ee4059d1c9ae9597e4623aa54eac9af.exe 2964 9ee4059d1c9ae9597e4623aa54eac9af.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 564 wrote to memory of 2964 564 9ee4059d1c9ae9597e4623aa54eac9af.exe 21 PID 564 wrote to memory of 2964 564 9ee4059d1c9ae9597e4623aa54eac9af.exe 21 PID 564 wrote to memory of 2964 564 9ee4059d1c9ae9597e4623aa54eac9af.exe 21
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ee4059d1c9ae9597e4623aa54eac9af.exe"C:\Users\Admin\AppData\Local\Temp\9ee4059d1c9ae9597e4623aa54eac9af.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Users\Admin\AppData\Local\Temp\9ee4059d1c9ae9597e4623aa54eac9af.exeC:\Users\Admin\AppData\Local\Temp\9ee4059d1c9ae9597e4623aa54eac9af.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2964
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5937d969628d12a8a13fd9011053cef93
SHA1ce4023d1498aac409ff7c25f72e8f3445d05c322
SHA2569b1284e0b63a0e421100561e1dd34d10bb5b724bb38815a8380d3f5259c94f15
SHA5123fcb6af870a4805983029235ee146b69da8e2ecc8db8bcfe8a973e64792b6694e91276b154734d239fd775c3049f68bfd86e1244f864b75ab678272df875d894