Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 08:37
Static task
static1
Behavioral task
behavioral1
Sample
604ac5fdfe5562387e2497f34a543df5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
604ac5fdfe5562387e2497f34a543df5.exe
Resource
win10v2004-20231215-en
General
-
Target
604ac5fdfe5562387e2497f34a543df5.exe
-
Size
208KB
-
MD5
604ac5fdfe5562387e2497f34a543df5
-
SHA1
7f853524c8fb634d7defbdfccfe7cf2637d9b4f2
-
SHA256
4969bebc3f9ec115187c5d310831c48f89aad355622d3417137cdf39bb26ef25
-
SHA512
8110bcc0271830555ec12da772e902dc759f447b0f3d5c463b60bf3caf3ea98a0baaab2b51791ebb7e36f9aecce1de9cbb09fce7f63e69ef2b3c1c9895e112b3
-
SSDEEP
6144:FlsSFhznFu8WD6RrZOAR7y5JMcrUGqRQQ:8Uh7Q8MQZOARO5ucrUpR
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2232 u.dll 2456 mpress.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2072 wrote to memory of 4120 2072 604ac5fdfe5562387e2497f34a543df5.exe 16 PID 2072 wrote to memory of 4120 2072 604ac5fdfe5562387e2497f34a543df5.exe 16 PID 2072 wrote to memory of 4120 2072 604ac5fdfe5562387e2497f34a543df5.exe 16 PID 4120 wrote to memory of 2232 4120 cmd.exe 18 PID 4120 wrote to memory of 2232 4120 cmd.exe 18 PID 4120 wrote to memory of 2232 4120 cmd.exe 18 PID 2232 wrote to memory of 2456 2232 u.dll 20 PID 2232 wrote to memory of 2456 2232 u.dll 20 PID 2232 wrote to memory of 2456 2232 u.dll 20 PID 4120 wrote to memory of 4948 4120 cmd.exe 21 PID 4120 wrote to memory of 4948 4120 cmd.exe 21 PID 4120 wrote to memory of 4948 4120 cmd.exe 21
Processes
-
C:\Users\Admin\AppData\Local\Temp\604ac5fdfe5562387e2497f34a543df5.exe"C:\Users\Admin\AppData\Local\Temp\604ac5fdfe5562387e2497f34a543df5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4C8A.tmp\vir.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save 604ac5fdfe5562387e2497f34a543df5.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\4CF7.tmp\mpress.exe"C:\Users\Admin\AppData\Local\Temp\4CF7.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4CF8.tmp"4⤵
- Executes dropped EXE
PID:2456
-
-
-
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵PID:4948
-
-
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵PID:4508
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:3928
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:3116
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5771d25d832d995785d1640bb90de0539
SHA1f3a2b3798bec5ec83ec081f98684d8eb97d0c27a
SHA256c1e2408c5e645862a48b35780fbe12365131c45f1371412a8f6e0f334d7753a3
SHA5125968b217f4c2b35dcc40c9a271dcc09c8525313e857083f7c29ec6cf9e6b42a89db3b7c2174624e5edb6edec5ce186729738f7d8d03c4b53209f8d52cd68a359
-
Filesize
381KB
MD56a44fb5c0f9ddb755e483f86e5a717d0
SHA12d12472cba6bb76c016d98e1015e36e317e3a730
SHA256878d149eb8d275219a0e45096b664460e74bbde6deaae65d3e8d917cbdb6f790
SHA5123787b404ddd92cbc1ddbf07431d443809df3ec3a32803fd3c30aa62890611b3a5ed8df4803cb175dd2acb30ecdea6dc3149ee7cd2c0ae70400ca8730fd4f1787
-
Filesize
92KB
MD5ace4bef1eaa126302be21c4105cc6ea3
SHA1227744c90647355a13c84178f9fedac3f75fdb97
SHA2568a675772564f80e1e7c4e51cbb64e1ba19990a010b112abc5f050100a6765c66
SHA512b4909dc9aabd8f478717a08e14648bc131b6176ac794991bd174f61dff9c3d15b0635352cce622e8088515fafbc447dd15717b3c2001ba34f86a19ba2abc4029