Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 19:32
Static task
static1
Behavioral task
behavioral1
Sample
0dc2c68ba1d6479092565143803ca30f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0dc2c68ba1d6479092565143803ca30f.exe
Resource
win10v2004-20231222-en
General
-
Target
0dc2c68ba1d6479092565143803ca30f.exe
-
Size
24.0MB
-
MD5
0dc2c68ba1d6479092565143803ca30f
-
SHA1
06a47fb3ecf052c8c255dc8dc729151d14ca623b
-
SHA256
03cc85fee1f7601917ed807996281321f6ef8c9bedb29d5a2148cdb3d8b1dde4
-
SHA512
51a23ff0e194a74d3901cbaf7a0f44d36e81d7d23dce07ce82d27eae44893bfc5591bb1395bc251e344c7986c17971d3962aef56ca73a35f45d594bd2ad2aa96
-
SSDEEP
393216:CvTIpUq7xHR7Xv2tg/cbN3F2xKN6TNTXdTOAde851z5WL286X2rXYxtEm:KJq10tQcbN3FbUhNXpH2pK
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ = "361" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath = "C:\\ProgramData\\DYJDYJ\\svchost.exe" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1676 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1528 wrote to memory of 1676 1528 0dc2c68ba1d6479092565143803ca30f.exe 91 PID 1528 wrote to memory of 1676 1528 0dc2c68ba1d6479092565143803ca30f.exe 91 PID 1528 wrote to memory of 1676 1528 0dc2c68ba1d6479092565143803ca30f.exe 91 PID 1528 wrote to memory of 4540 1528 0dc2c68ba1d6479092565143803ca30f.exe 97 PID 1528 wrote to memory of 4540 1528 0dc2c68ba1d6479092565143803ca30f.exe 97 PID 1528 wrote to memory of 4540 1528 0dc2c68ba1d6479092565143803ca30f.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dc2c68ba1d6479092565143803ca30f.exe"C:\Users\Admin\AppData\Local\Temp\0dc2c68ba1d6479092565143803ca30f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\ProgramData\OVCOVC\svchost.exeC:\ProgramData\OVCOVC\svchost.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
PID:1676
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\0dc2c68ba1d6479092565143803ca30f.exe"2⤵PID:4540
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5e1e75eae3cddbf9140d1e32413c7c4e0
SHA1fec301507bb3fd201bde47328c9067b25c929dd1
SHA256403e204b8f1e79016f91d74193593f296ad0b844b323069b8578d8541e597115
SHA51222659ecc76e5a2c7439136d54918321c1b8834f23fe9364fe0eb75ddb63bf2c7626b10c04e00aa359af2b6b14d0fad57210c394d70354c0bab61bb7271de0d2f
-
Filesize
89KB
MD5b3edb4fb80dff313b5b79be15ba21322
SHA180e65b9dab01e32fde35380005df66d2e3af20bc
SHA256228796a82c3d3bb07a7a0927dfd873ca3be4d8fc766c7e0f5f243cbbf1ea1b29
SHA512f6c21df0abef897a838e98a3dd99c2e1d3fa0eeb591fcf3c77515dacd029757d22fab1a17e3496cb0660cb551f241d8ef087d4636a32000fe53a539d0eac0202