Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 19:38
Static task
static1
Behavioral task
behavioral1
Sample
01f95ee79478bf8869e6902683b1b222.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
01f95ee79478bf8869e6902683b1b222.exe
Resource
win10v2004-20231215-en
General
-
Target
01f95ee79478bf8869e6902683b1b222.exe
-
Size
385KB
-
MD5
01f95ee79478bf8869e6902683b1b222
-
SHA1
20bb98c8a3e03a436404839b2a6aa949d9bc3df0
-
SHA256
f1c7eac6834496dd3bedd4cfed7bb23f9d260389c81cd33df92d1d4aebe3b57d
-
SHA512
17787744d171e9ae50ebaed271aff2770d90614d40feeaa49b3175081007994027c30957ceadbc0b52b54c3ec38dfc242eb0047df3b03339ad8cacba2424aaba
-
SSDEEP
6144:/zhPi5e31VOKtttU31Dq145tR6RVDaL1RW1tcXrIB5CCPx624np+iftnwB:VPWe31Ptm1B96RpSRW7cXY5awimB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3764 01f95ee79478bf8869e6902683b1b222.exe -
Executes dropped EXE 1 IoCs
pid Process 3764 01f95ee79478bf8869e6902683b1b222.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3224 01f95ee79478bf8869e6902683b1b222.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3224 01f95ee79478bf8869e6902683b1b222.exe 3764 01f95ee79478bf8869e6902683b1b222.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3224 wrote to memory of 3764 3224 01f95ee79478bf8869e6902683b1b222.exe 91 PID 3224 wrote to memory of 3764 3224 01f95ee79478bf8869e6902683b1b222.exe 91 PID 3224 wrote to memory of 3764 3224 01f95ee79478bf8869e6902683b1b222.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\01f95ee79478bf8869e6902683b1b222.exe"C:\Users\Admin\AppData\Local\Temp\01f95ee79478bf8869e6902683b1b222.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\01f95ee79478bf8869e6902683b1b222.exeC:\Users\Admin\AppData\Local\Temp\01f95ee79478bf8869e6902683b1b222.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106KB
MD5b23dffcdc2f092bb77c7da9d26c2ce7a
SHA1ecd2e6d07990c7505bf429ec45b29cca0ea4786d
SHA25693d95dd4f3474f7111e50b834eecee04412fb10c6cc031a4b4a25b36b0986e2a
SHA512d2a21ddb06a49edb17733123ae1049fd4677843e4ce5451bd5eadfd2c59a8360203f6403c077710e991a5219f385de9b8bab340d36ff67737482354bb0267741