Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 06:49

General

  • Target

    0cbaa61694803eea6300dbd5b250b507.exe

  • Size

    209KB

  • MD5

    0cbaa61694803eea6300dbd5b250b507

  • SHA1

    b72126bc96f7488fcef65bda68268009e13fed34

  • SHA256

    62f437e363dbfbe1d9e99907b0eca8f2b9083ceface26e177e38f098b0a4d5b7

  • SHA512

    3f723ffa8129964aae9f717de3a8e7f0ed17bffcf045cfcbec385abd1abb2b38937677889c23a36ac9c38bad08fd0ca6e8f483d91892834f1961891d93af3b8a

  • SSDEEP

    6144:jlVCYIpCSYIGo4EWiS0E/vkVi0W/2WjE:uYFo4tiS0yT

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cbaa61694803eea6300dbd5b250b507.exe
    "C:\Users\Admin\AppData\Local\Temp\0cbaa61694803eea6300dbd5b250b507.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3924
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4AB5.tmp\vir.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2884
  • C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    1⤵
      PID:3464
    • C:\Users\Admin\AppData\Local\Temp\4B13.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\4B13.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4B14.tmp"
      1⤵
      • Executes dropped EXE
      PID:3888
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
        PID:704
      • C:\Windows\SysWOW64\calc.exe
        CALC.EXE
        1⤵
          PID:4572
        • C:\Users\Admin\AppData\Local\Temp\u.dll
          u.dll -bat vir.bat -save 0cbaa61694803eea6300dbd5b250b507.exe.com -include s.dll -overwrite -nodelete
          1⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4604
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
            PID:5052

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/3888-55-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/3888-62-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/3924-0-0x0000000000400000-0x00000000004BF000-memory.dmp

            Filesize

            764KB

          • memory/3924-1-0x0000000000400000-0x00000000004BF000-memory.dmp

            Filesize

            764KB

          • memory/3924-70-0x0000000000400000-0x00000000004BF000-memory.dmp

            Filesize

            764KB