Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 07:29
Static task
static1
Behavioral task
behavioral1
Sample
0ede4cb539d18eff602baa20fdef459a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0ede4cb539d18eff602baa20fdef459a.exe
Resource
win10v2004-20231215-en
General
-
Target
0ede4cb539d18eff602baa20fdef459a.exe
-
Size
506KB
-
MD5
0ede4cb539d18eff602baa20fdef459a
-
SHA1
e0fadb85dc5250f8b2e1b3ae7b9c83a149ed105e
-
SHA256
6fa66095e2a47acab14a9780200a18a06241e0130b1ed71645d8fe1dfd9eefe9
-
SHA512
4fb8d01baa64328af4e34be52778508a9370eb6f0ea4d8b79c5db8538dd177918d09b584d1207a609a1429c8cfe200f1a1bdc793a5a1ceb353327b0f4b9f8d66
-
SSDEEP
12288:6m5aghmSWYdVJpvC+kmiAeb1MH35cqSgQ70zbU3SvMY:b5JhRPivb1MH3+lZQY31Y
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4512 0ede4cb539d18eff602baa20fdef459a.exe -
Executes dropped EXE 1 IoCs
pid Process 4512 0ede4cb539d18eff602baa20fdef459a.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4512 0ede4cb539d18eff602baa20fdef459a.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1724 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4512 0ede4cb539d18eff602baa20fdef459a.exe 4512 0ede4cb539d18eff602baa20fdef459a.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5800 0ede4cb539d18eff602baa20fdef459a.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 5800 0ede4cb539d18eff602baa20fdef459a.exe 4512 0ede4cb539d18eff602baa20fdef459a.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5800 wrote to memory of 4512 5800 0ede4cb539d18eff602baa20fdef459a.exe 89 PID 5800 wrote to memory of 4512 5800 0ede4cb539d18eff602baa20fdef459a.exe 89 PID 5800 wrote to memory of 4512 5800 0ede4cb539d18eff602baa20fdef459a.exe 89 PID 4512 wrote to memory of 1724 4512 0ede4cb539d18eff602baa20fdef459a.exe 94 PID 4512 wrote to memory of 1724 4512 0ede4cb539d18eff602baa20fdef459a.exe 94 PID 4512 wrote to memory of 1724 4512 0ede4cb539d18eff602baa20fdef459a.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ede4cb539d18eff602baa20fdef459a.exe"C:\Users\Admin\AppData\Local\Temp\0ede4cb539d18eff602baa20fdef459a.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5800 -
C:\Users\Admin\AppData\Local\Temp\0ede4cb539d18eff602baa20fdef459a.exeC:\Users\Admin\AppData\Local\Temp\0ede4cb539d18eff602baa20fdef459a.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0ede4cb539d18eff602baa20fdef459a.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:1724
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
506KB
MD5852635ec6857bbd1abaee5ceadfc6098
SHA147aa541aa0717fa53ffe1b6cbb11175e0567d16c
SHA2564315bd1b9abd380d4cd5b02023a89e7ef06ac7a2125fdc30a97b08125d7ad9e9
SHA51298c99bf17f23fd6649e346be467417abb2a3d4c98281220b8dc0d01d07a15bc3d6face5523225f030d601d2d31b01260eb8800ec83cdda3b696caef7c01e66d6