Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 11:49
Static task
static1
Behavioral task
behavioral1
Sample
6c16e5780ffd51afc4426f266cc35fb7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6c16e5780ffd51afc4426f266cc35fb7.exe
Resource
win10v2004-20231215-en
General
-
Target
6c16e5780ffd51afc4426f266cc35fb7.exe
-
Size
40KB
-
MD5
6c16e5780ffd51afc4426f266cc35fb7
-
SHA1
87107bb2959a9b67555a402a7eb20d664f611d82
-
SHA256
4d99633e3b304e00e8913e0a9637322aa54b0e161b33ec45b172caa3a9891e8e
-
SHA512
021a0ea45dd576010a29b6abd0c064c45fb78df45f8d6342ce5aeeb24100b0b24285c2084b727a3560497a0f81b71d5b4efd08d416ae993c9509af21b5cba141
-
SSDEEP
768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHQM:aqk/Zdic/qjh8w19JDHQM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4880 services.exe -
resource yara_rule behavioral2/memory/4880-6-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x0007000000023219-4.dat upx behavioral2/memory/4880-13-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4880-17-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4880-18-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4880-22-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4880-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4880-30-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4880-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4880-35-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4880-39-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4880-107-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4880-133-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4880-171-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 6c16e5780ffd51afc4426f266cc35fb7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\java.exe 6c16e5780ffd51afc4426f266cc35fb7.exe File created C:\Windows\services.exe 6c16e5780ffd51afc4426f266cc35fb7.exe File opened for modification C:\Windows\java.exe 6c16e5780ffd51afc4426f266cc35fb7.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3668 wrote to memory of 4880 3668 6c16e5780ffd51afc4426f266cc35fb7.exe 90 PID 3668 wrote to memory of 4880 3668 6c16e5780ffd51afc4426f266cc35fb7.exe 90 PID 3668 wrote to memory of 4880 3668 6c16e5780ffd51afc4426f266cc35fb7.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c16e5780ffd51afc4426f266cc35fb7.exe"C:\Users\Admin\AppData\Local\Temp\6c16e5780ffd51afc4426f266cc35fb7.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4880
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
313B
MD5ffb72ab4faba49ad441ce07db37dd8b6
SHA1194e13c1c32ebb6e7a1dc912261cbd58a82ff71e
SHA2567bd7c3676e98ddde8e0d5b63dd22cb9379d975bcd1d68884c97565cdd8d03660
SHA512517be20d2442489ce39b48dc7f9f6f13f8c45d02703fb1865071f553d36b2289f5abc26c6089fc0bfad1a41fe318bf4b5a806915c5e45898ac744b7e4ed30257
-
Filesize
312B
MD55431b34b55fc2e8dfe8e2e977e26e6b5
SHA187cf8feeb854e523871271b6f5634576de3e7c40
SHA2563d7c76daab98368a0dd25cd184db039cdd5d1bc9bd6e9bb91b289119047f5432
SHA5126f309dd924ba012486bcf0e3bafe64899007893ea9863b6f4e5428384ad23d9942c74d17c42a5cf9922a0e0fd8d61c287a2288a945a775586125d53376b9325c
-
Filesize
40KB
MD506caad9200e4f2a82cd8d3a1a239c51b
SHA1eefd2378a35ca496266b1a78b7c8d9671520a39c
SHA256225920bb9a7cab967e881542eb3818a3ed57b285f35514cfe8713793cbf1e2a5
SHA51256998ebee4b5fba211a007fd4a7ae3d813024d52e3e46cd762db0405e14eebc6824c9be483852349f2d69d8b7efe67682d4d752a02ea8ea1fb056f94e170890f
-
Filesize
1KB
MD5b0edb1c04b457d49c68577db40a4a983
SHA1401145505a3bd97d9125a9aded70116e9ac810e7
SHA256571dc8ba7d41dcaae138bf3677d34a10088e58c59d8532d20744d82d62510f97
SHA5127e591f059d7015c4a2b8166bcf0cc9b322ada8f3d7b3696ce2e76eb1bb0b19a6ccd8e4d4199d3cec7b6853f034933b33c47786fcc1a91f6592d7be5d96d8a014
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2