Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2023, 23:08
Behavioral task
behavioral1
Sample
fee1fb8f43fe1f819e27c7829a2a5fc8.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fee1fb8f43fe1f819e27c7829a2a5fc8.exe
Resource
win10v2004-20231215-en
General
-
Target
fee1fb8f43fe1f819e27c7829a2a5fc8.exe
-
Size
31KB
-
MD5
fee1fb8f43fe1f819e27c7829a2a5fc8
-
SHA1
ac7fb63dcef728f7098fc6df0accb162191894fd
-
SHA256
d3a8aebad829f66f1ec2846127c6fa9dc9851917bbc05e91620bcba3c032f9b5
-
SHA512
2c83d49f9bb9094a0717754a22e06a6cbbc685ab2d8d722a1e50105cc918634162c77d295973b0fd2de9edfb01f4e7ff08ac2c3e68eb216a85c9d160e114c445
-
SSDEEP
768:GMJmO6KrRQpMFrZREjnpE2SWnJrlLxqha5f:GMJf6KGkZRE7BnJpwY
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\svchast.exe fee1fb8f43fe1f819e27c7829a2a5fc8.exe File created C:\Windows\SysWOW64\drivers\svchast.exe fee1fb8f43fe1f819e27c7829a2a5fc8.exe -
resource yara_rule behavioral2/files/0x000d00000001e6f2-2.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 4284 svchast.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2872 fee1fb8f43fe1f819e27c7829a2a5fc8.exe 2872 fee1fb8f43fe1f819e27c7829a2a5fc8.exe 2872 fee1fb8f43fe1f819e27c7829a2a5fc8.exe 2872 fee1fb8f43fe1f819e27c7829a2a5fc8.exe 2872 fee1fb8f43fe1f819e27c7829a2a5fc8.exe 2872 fee1fb8f43fe1f819e27c7829a2a5fc8.exe 4284 svchast.exe 4284 svchast.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2872 wrote to memory of 4284 2872 fee1fb8f43fe1f819e27c7829a2a5fc8.exe 90 PID 2872 wrote to memory of 4284 2872 fee1fb8f43fe1f819e27c7829a2a5fc8.exe 90 PID 2872 wrote to memory of 4284 2872 fee1fb8f43fe1f819e27c7829a2a5fc8.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\fee1fb8f43fe1f819e27c7829a2a5fc8.exe"C:\Users\Admin\AppData\Local\Temp\fee1fb8f43fe1f819e27c7829a2a5fc8.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\drivers\svchast.exeC:\Windows\system32\drivers\svchast.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4284
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5fee1fb8f43fe1f819e27c7829a2a5fc8
SHA1ac7fb63dcef728f7098fc6df0accb162191894fd
SHA256d3a8aebad829f66f1ec2846127c6fa9dc9851917bbc05e91620bcba3c032f9b5
SHA5122c83d49f9bb9094a0717754a22e06a6cbbc685ab2d8d722a1e50105cc918634162c77d295973b0fd2de9edfb01f4e7ff08ac2c3e68eb216a85c9d160e114c445