Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 05:11
Behavioral task
behavioral1
Sample
0fad9fbf89d7103f7c2c1d58011ec094.exe
Resource
win7-20231215-en
General
-
Target
0fad9fbf89d7103f7c2c1d58011ec094.exe
-
Size
1.5MB
-
MD5
0fad9fbf89d7103f7c2c1d58011ec094
-
SHA1
c4d3a84075af1416a94e43d15df8eb92b4a7ceba
-
SHA256
03b98d0f5ac74f2cc761db1c34fb36c88f2e026769459eea0b9b9d3ea8312ff9
-
SHA512
6691e8cd33bfc3adc8da209a0aa87995a43777597c07a7783c043cac17d0914b231eea0a84a729f573454fc5a36619c4d2013739008998622ff00839976b305a
-
SSDEEP
24576:hp3dpf1YHlKMnMlg1wqCIHzZKQfZakPJWPoUrB3A9n4YWmgeX04MXx2kSMvsWAOz:dsHl7SqCuflc5+M5eE4Mgk8O
Malware Config
Signatures
-
XMRig Miner payload 6 IoCs
resource yara_rule behavioral2/memory/4880-2-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/4880-12-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/2956-15-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/2956-21-0x00000000054B0000-0x0000000005643000-memory.dmp xmrig behavioral2/memory/2956-30-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral2/memory/2956-20-0x0000000000400000-0x0000000000587000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 2956 0fad9fbf89d7103f7c2c1d58011ec094.exe -
Executes dropped EXE 1 IoCs
pid Process 2956 0fad9fbf89d7103f7c2c1d58011ec094.exe -
resource yara_rule behavioral2/memory/4880-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral2/memory/2956-13-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral2/files/0x000f000000023164-11.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4880 0fad9fbf89d7103f7c2c1d58011ec094.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4880 0fad9fbf89d7103f7c2c1d58011ec094.exe 2956 0fad9fbf89d7103f7c2c1d58011ec094.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4880 wrote to memory of 2956 4880 0fad9fbf89d7103f7c2c1d58011ec094.exe 94 PID 4880 wrote to memory of 2956 4880 0fad9fbf89d7103f7c2c1d58011ec094.exe 94 PID 4880 wrote to memory of 2956 4880 0fad9fbf89d7103f7c2c1d58011ec094.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fad9fbf89d7103f7c2c1d58011ec094.exe"C:\Users\Admin\AppData\Local\Temp\0fad9fbf89d7103f7c2c1d58011ec094.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\0fad9fbf89d7103f7c2c1d58011ec094.exeC:\Users\Admin\AppData\Local\Temp\0fad9fbf89d7103f7c2c1d58011ec094.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2956
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5981dc6acf55899cf9e8da3e509c478be
SHA1fc77bca0107aa87152e01d35a0a5a9dcdef017d4
SHA256ecd6d4db83f9a37784035a24fb3550773a0fa4ac15333b8f03535d294e804fd2
SHA5122e72b30b8933eb319568afe80434415c6c8b6fc0f8018d789836524b7de0e7e5ddebfeb259ce2009b5da8d6522ccad8470987ff1f4ab9c960109569f09b444b4