Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 00:03
Static task
static1
Behavioral task
behavioral1
Sample
1b854ff428d213cf6027aabf80f94008.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1b854ff428d213cf6027aabf80f94008.exe
Resource
win10v2004-20231215-en
General
-
Target
1b854ff428d213cf6027aabf80f94008.exe
-
Size
1000KB
-
MD5
1b854ff428d213cf6027aabf80f94008
-
SHA1
b3c7eb47bc161d0069c546daa35a46648b70f2cd
-
SHA256
aa6a25721fa4a71e939f88c09bde15b1b1d8097a8ff39b11bac0b7edfa4a0d80
-
SHA512
a94de60ecc30e9787ef0c1e22016eb9da71579139d2db9c82208fbd068bda7ffe0faccf1859e052852d31a45e82430079c82ebd82235a1a0add784d25e8aed23
-
SSDEEP
24576:aKd2/xq6VecWfa5sHGdqRDoeY7d15ipq1B+5vMiqt0gj2ed:ZY/xq64Vfa5sHGdqRDoeY7dvipgqOL
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 236 1b854ff428d213cf6027aabf80f94008.exe -
Executes dropped EXE 1 IoCs
pid Process 236 1b854ff428d213cf6027aabf80f94008.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 236 1b854ff428d213cf6027aabf80f94008.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1092 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 236 1b854ff428d213cf6027aabf80f94008.exe 236 1b854ff428d213cf6027aabf80f94008.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3988 1b854ff428d213cf6027aabf80f94008.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3988 1b854ff428d213cf6027aabf80f94008.exe 236 1b854ff428d213cf6027aabf80f94008.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3988 wrote to memory of 236 3988 1b854ff428d213cf6027aabf80f94008.exe 91 PID 3988 wrote to memory of 236 3988 1b854ff428d213cf6027aabf80f94008.exe 91 PID 3988 wrote to memory of 236 3988 1b854ff428d213cf6027aabf80f94008.exe 91 PID 236 wrote to memory of 1092 236 1b854ff428d213cf6027aabf80f94008.exe 92 PID 236 wrote to memory of 1092 236 1b854ff428d213cf6027aabf80f94008.exe 92 PID 236 wrote to memory of 1092 236 1b854ff428d213cf6027aabf80f94008.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe"C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exeC:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:1092
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1000KB
MD5cb53168d802fe1a56487156d8d5790c9
SHA1234a2b0383f18af455ca5ea219ed4d6728e51dd4
SHA25666c2c9082f0056838fc86d90a9441df05ae990265c5903f7a347aebd678c6c1a
SHA512dfa262263b39c26c872d8375c05c643dba89853fc86fed92349360728fc525d6d40ce817afba2017228760075dd85e690ab0448daef6d80571009d37fb875815