Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 00:11
Static task
static1
Behavioral task
behavioral1
Sample
081804c7edf878c0cd7c0981f816e782.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
081804c7edf878c0cd7c0981f816e782.exe
Resource
win10v2004-20231215-en
General
-
Target
081804c7edf878c0cd7c0981f816e782.exe
-
Size
232KB
-
MD5
081804c7edf878c0cd7c0981f816e782
-
SHA1
ff61177e6485f0572bbbf1dc1438ee5a542c0700
-
SHA256
1fb7f9a562a0f8cafae55401b0b47c202ed650f937c5d49d941d23ff6f378f3b
-
SHA512
150e01b4d907c88d9d9d2e06faf0ac5781374c4170a9e0192821e87d3d87c81a698f536b9ffd7fa2a51c8092f29333e5ad0ae7c9451910c78f5e5d63dc12d921
-
SSDEEP
3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/e8SkgnYHfQlAV:o68i3odBiTl2+TCU/wk8KfQlEB
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" 081804c7edf878c0cd7c0981f816e782.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\winhash_up.exez 081804c7edf878c0cd7c0981f816e782.exe File created C:\Windows\winhash_up.exe 081804c7edf878c0cd7c0981f816e782.exe File created C:\Windows\SHARE_TEMP\Icon3.ico 081804c7edf878c0cd7c0981f816e782.exe File created C:\Windows\SHARE_TEMP\Icon5.ico 081804c7edf878c0cd7c0981f816e782.exe File created C:\Windows\SHARE_TEMP\Icon7.ico 081804c7edf878c0cd7c0981f816e782.exe File created C:\Windows\SHARE_TEMP\Icon10.ico 081804c7edf878c0cd7c0981f816e782.exe File created C:\Windows\SHARE_TEMP\Icon14.ico 081804c7edf878c0cd7c0981f816e782.exe File created C:\Windows\winhash_up.exez 081804c7edf878c0cd7c0981f816e782.exe File created C:\Windows\bugMAKER.bat 081804c7edf878c0cd7c0981f816e782.exe File created C:\Windows\SHARE_TEMP\Icon6.ico 081804c7edf878c0cd7c0981f816e782.exe File created C:\Windows\SHARE_TEMP\Icon12.ico 081804c7edf878c0cd7c0981f816e782.exe File created C:\Windows\SHARE_TEMP\Icon2.ico 081804c7edf878c0cd7c0981f816e782.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3172 wrote to memory of 1060 3172 081804c7edf878c0cd7c0981f816e782.exe 19 PID 3172 wrote to memory of 1060 3172 081804c7edf878c0cd7c0981f816e782.exe 19 PID 3172 wrote to memory of 1060 3172 081804c7edf878c0cd7c0981f816e782.exe 19
Processes
-
C:\Users\Admin\AppData\Local\Temp\081804c7edf878c0cd7c0981f816e782.exe"C:\Users\Admin\AppData\Local\Temp\081804c7edf878c0cd7c0981f816e782.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\bugMAKER.bat2⤵PID:1060
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD5d36a337925ef0b609f4d7d73f5a0e6e3
SHA104fc7987cc27c37027eec439474b482109e0121f
SHA256369338b32fbb28038e04f30b031c624e1432b0dbcb8f6b25ca3ddbb0bb589a03
SHA512ba369aa9920fd2298088899cbc11a3ec1ee3c539a0ffb96470c39f6a4e5d3d7fb70c8235c21626caf595029425fd8267c7d678170e676cec2f63cfa172d7776e