Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
165s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 10:57
Behavioral task
behavioral1
Sample
18e51d9441df2eef239ef19bf8f88f96.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
18e51d9441df2eef239ef19bf8f88f96.exe
Resource
win10v2004-20231215-en
General
-
Target
18e51d9441df2eef239ef19bf8f88f96.exe
-
Size
1.9MB
-
MD5
18e51d9441df2eef239ef19bf8f88f96
-
SHA1
baee9873d0e75999e472e8871e3cddbd87937b1a
-
SHA256
dd91f79b47a46883a74f1fe0c71e3e088c664d6e5a09e462e60018223894806e
-
SHA512
3ab6ab11293f322cf4eb726629f8b53d4033409527fd1a80348bc6ca9b3309fbc981ffbbc9366f8e26b0f335e6fdc6b4b8d1252e0b31c5df75c8aa77891d1fb1
-
SSDEEP
49152:o7qDgEecSE/bTCH4nsGTfJ1Gh59I/Rk5vH6Y8CLRlDrxT3Axh1TcCGd5sgtGbTs:Uq0IOjmfJOv11yjGd/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4544 test.exe -
resource yara_rule behavioral2/memory/4244-0-0x0000000000400000-0x0000000000771000-memory.dmp upx behavioral2/files/0x0007000000023222-4.dat upx behavioral2/memory/4544-5-0x0000000000400000-0x00000000004F9000-memory.dmp upx behavioral2/memory/4244-7-0x0000000000400000-0x0000000000771000-memory.dmp upx behavioral2/memory/4544-8-0x0000000000400000-0x00000000004F9000-memory.dmp upx behavioral2/memory/4244-26-0x0000000000400000-0x0000000000771000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Program crash 1 IoCs
pid pid_target Process procid_target 4048 4544 WerFault.exe 91 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4244 wrote to memory of 4116 4244 18e51d9441df2eef239ef19bf8f88f96.exe 90 PID 4244 wrote to memory of 4116 4244 18e51d9441df2eef239ef19bf8f88f96.exe 90 PID 4244 wrote to memory of 4116 4244 18e51d9441df2eef239ef19bf8f88f96.exe 90 PID 4116 wrote to memory of 4544 4116 cmd.exe 91 PID 4116 wrote to memory of 4544 4116 cmd.exe 91 PID 4116 wrote to memory of 4544 4116 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\18e51d9441df2eef239ef19bf8f88f96.exe"C:\Users\Admin\AppData\Local\Temp\18e51d9441df2eef239ef19bf8f88f96.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c test.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe3⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 19764⤵
- Program crash
PID:4048
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4544 -ip 45441⤵PID:216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
394KB
MD5fb7a865328b3c02dd06507e74b8d46b9
SHA15e3c011acebb08db99759f43702a230275cd6cdd
SHA256b9905f83103a0f8aa735be1e9ff4cc40564b4712bb294be34516fffcc83311fa
SHA5126e41352b7ce155bf73c0caa62c2dbea764c50f653b7b71ed46d0e98be68eb09723cbc3f1a1638471df64c6f52e3a6a0524cd698e2d0c6d85e035833284c6652c