Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 12:34
Static task
static1
Behavioral task
behavioral1
Sample
6ee733b851c63b4ae199517792869852.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6ee733b851c63b4ae199517792869852.exe
Resource
win10v2004-20231222-en
General
-
Target
6ee733b851c63b4ae199517792869852.exe
-
Size
241KB
-
MD5
6ee733b851c63b4ae199517792869852
-
SHA1
371a5e0ff65a3dc740c023a3b815d4a114380cc0
-
SHA256
818c17722c580960015fce641b16bb71289bf29bb953a24fce9b5699793c5177
-
SHA512
8c353248030339c13afc8119f9d8c79455adff1154e37022073120017ae1a379cd34e8eac68bfb6a638ab0aa6dddc384c50744a380b41d60f4974b8dfeaaae53
-
SSDEEP
6144:pbnqF/y1vWWZMuG4F04H8CH4NhrTI/38b:pLqi+/CYNV038b
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4364 6ee733b851c63b4ae199517792869852.exe -
Executes dropped EXE 1 IoCs
pid Process 4364 6ee733b851c63b4ae199517792869852.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4364 6ee733b851c63b4ae199517792869852.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2500 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4364 6ee733b851c63b4ae199517792869852.exe 4364 6ee733b851c63b4ae199517792869852.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 940 6ee733b851c63b4ae199517792869852.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 940 6ee733b851c63b4ae199517792869852.exe 4364 6ee733b851c63b4ae199517792869852.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 940 wrote to memory of 4364 940 6ee733b851c63b4ae199517792869852.exe 19 PID 940 wrote to memory of 4364 940 6ee733b851c63b4ae199517792869852.exe 19 PID 940 wrote to memory of 4364 940 6ee733b851c63b4ae199517792869852.exe 19 PID 4364 wrote to memory of 2500 4364 6ee733b851c63b4ae199517792869852.exe 46 PID 4364 wrote to memory of 2500 4364 6ee733b851c63b4ae199517792869852.exe 46 PID 4364 wrote to memory of 2500 4364 6ee733b851c63b4ae199517792869852.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ee733b851c63b4ae199517792869852.exe"C:\Users\Admin\AppData\Local\Temp\6ee733b851c63b4ae199517792869852.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Local\Temp\6ee733b851c63b4ae199517792869852.exeC:\Users\Admin\AppData\Local\Temp\6ee733b851c63b4ae199517792869852.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\6ee733b851c63b4ae199517792869852.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:2500
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
241KB
MD54cac576dc3ef6ed473fe1bc220e98baf
SHA131443aca02c7a89c883d110021024a0b474eb144
SHA256fe81bf18c1d7521d52e5ad547d8b5fe614c8a6a10a042f193ed41129333221bf
SHA512c38440d621bd4b521e686c381aa3e4b19700441fb7ab3eed00cf5cac25a521c5a647e48886a82b872d6f82465bdea2f19bb5f7dd6606de681595759a3ee3d1ed