Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 08:46
Static task
static1
Behavioral task
behavioral1
Sample
13aec7bb96e675489eea547cba93914f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
13aec7bb96e675489eea547cba93914f.exe
Resource
win10v2004-20231215-en
General
-
Target
13aec7bb96e675489eea547cba93914f.exe
-
Size
1000KB
-
MD5
13aec7bb96e675489eea547cba93914f
-
SHA1
9708391091688bdffc5c5176f1c456d7d087b5c7
-
SHA256
d67ed0821d61754a5370b17364cba0356cb43f2e424a20a04d8f2906eba2814c
-
SHA512
fe710679e181f9595b3a16f87a7edcc2f11352517ef7608e2ba458e466e4b99aedb80c7efc50b975140d61c37952d1786b86be9be7bb385c40f02e38a8c9ac60
-
SSDEEP
24576:J3qGd8A0PCT9AI0k6waD1B+5vMiqt0gj2ed:+AxxRwrqOL
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3096 13aec7bb96e675489eea547cba93914f.exe -
Executes dropped EXE 1 IoCs
pid Process 3096 13aec7bb96e675489eea547cba93914f.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3096 13aec7bb96e675489eea547cba93914f.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4284 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3096 13aec7bb96e675489eea547cba93914f.exe 3096 13aec7bb96e675489eea547cba93914f.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2092 13aec7bb96e675489eea547cba93914f.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2092 13aec7bb96e675489eea547cba93914f.exe 3096 13aec7bb96e675489eea547cba93914f.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2092 wrote to memory of 3096 2092 13aec7bb96e675489eea547cba93914f.exe 91 PID 2092 wrote to memory of 3096 2092 13aec7bb96e675489eea547cba93914f.exe 91 PID 2092 wrote to memory of 3096 2092 13aec7bb96e675489eea547cba93914f.exe 91 PID 3096 wrote to memory of 4284 3096 13aec7bb96e675489eea547cba93914f.exe 93 PID 3096 wrote to memory of 4284 3096 13aec7bb96e675489eea547cba93914f.exe 93 PID 3096 wrote to memory of 4284 3096 13aec7bb96e675489eea547cba93914f.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\13aec7bb96e675489eea547cba93914f.exe"C:\Users\Admin\AppData\Local\Temp\13aec7bb96e675489eea547cba93914f.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\13aec7bb96e675489eea547cba93914f.exeC:\Users\Admin\AppData\Local\Temp\13aec7bb96e675489eea547cba93914f.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\13aec7bb96e675489eea547cba93914f.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:4284
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1000KB
MD59acadf2be145d08df709ea41be563490
SHA167574b542b4798c595bfe309fbbc502af60c9039
SHA2566e5601384b00a43f94c9324583739b8ee9aec9636f5106996c4c40cd601953dc
SHA51262382cde9190b78be4d1b19c503093bb8022d2d859485b5a980ecbbd23b3c659a2b2a1eab3e561740b6656486deff4f25a4cdd27196047bd7d09e03c9fe78cc8