Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 00:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
087244a066d1e0a9f731d4a30869fb9b.exe
Resource
win7-20231215-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
087244a066d1e0a9f731d4a30869fb9b.exe
Resource
win10v2004-20231215-en
7 signatures
150 seconds
General
-
Target
087244a066d1e0a9f731d4a30869fb9b.exe
-
Size
385KB
-
MD5
087244a066d1e0a9f731d4a30869fb9b
-
SHA1
2cab5efae9c09aea0d43a9a0a15e4ae445b31d0a
-
SHA256
597b771b7d9ed87fb8ea06d98f326f3a5419f0a5375431c82e965bb343eaae37
-
SHA512
0aba8e52e444eb5fc72af7b5a04df2afee21c1b9737eaffa99886d3799252be4cc13589d5bb183f8a31587752f0fb72ed3aaa433add8c3afc9036e8304c6850f
-
SSDEEP
6144:2qfYDEnS/Bkg5TXvzlyZ6bAAWvLdLPDkqAR1mUDSlc7LqiPyIJsocnb+B:2qGEnS6gtfzwSavxYcUDr7LqlIMb+B
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2212 087244a066d1e0a9f731d4a30869fb9b.exe -
Executes dropped EXE 1 IoCs
pid Process 2212 087244a066d1e0a9f731d4a30869fb9b.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 087244a066d1e0a9f731d4a30869fb9b.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 5c0000000100000004000000000800000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 087244a066d1e0a9f731d4a30869fb9b.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2708 087244a066d1e0a9f731d4a30869fb9b.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2708 087244a066d1e0a9f731d4a30869fb9b.exe 2212 087244a066d1e0a9f731d4a30869fb9b.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2212 2708 087244a066d1e0a9f731d4a30869fb9b.exe 15 PID 2708 wrote to memory of 2212 2708 087244a066d1e0a9f731d4a30869fb9b.exe 15 PID 2708 wrote to memory of 2212 2708 087244a066d1e0a9f731d4a30869fb9b.exe 15
Processes
-
C:\Users\Admin\AppData\Local\Temp\087244a066d1e0a9f731d4a30869fb9b.exe"C:\Users\Admin\AppData\Local\Temp\087244a066d1e0a9f731d4a30869fb9b.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\087244a066d1e0a9f731d4a30869fb9b.exeC:\Users\Admin\AppData\Local\Temp\087244a066d1e0a9f731d4a30869fb9b.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2212
-