Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 20:25
Static task
static1
Behavioral task
behavioral1
Sample
1bd0536bbb58125a5006c1e597e7235f.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1bd0536bbb58125a5006c1e597e7235f.exe
Resource
win10v2004-20231215-en
General
-
Target
1bd0536bbb58125a5006c1e597e7235f.exe
-
Size
385KB
-
MD5
1bd0536bbb58125a5006c1e597e7235f
-
SHA1
04bc46012d2bb992a812f493a1b33887fccd2ada
-
SHA256
6e0ae996a81e1859fe2a039edffa1bddd0194a15078eb1056314b57d99335167
-
SHA512
d37c18a8a35d9009ce073e6e060b0f333f2faa6da17e49f82803722d4d4e8b452842a37c9d098441115a2c42aa872a315dde08cef739927a7023a1753e00cbb4
-
SSDEEP
6144:stB5xZ694yiFHM5SnwozuW7YsIpsRP0cqU8NaNZomeLBXx/V5rP7PB:YBPZPyiC52qW7wpsJuUEwameLBZLB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 5024 1bd0536bbb58125a5006c1e597e7235f.exe -
Executes dropped EXE 1 IoCs
pid Process 5024 1bd0536bbb58125a5006c1e597e7235f.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1996 1bd0536bbb58125a5006c1e597e7235f.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1996 1bd0536bbb58125a5006c1e597e7235f.exe 5024 1bd0536bbb58125a5006c1e597e7235f.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1996 wrote to memory of 5024 1996 1bd0536bbb58125a5006c1e597e7235f.exe 90 PID 1996 wrote to memory of 5024 1996 1bd0536bbb58125a5006c1e597e7235f.exe 90 PID 1996 wrote to memory of 5024 1996 1bd0536bbb58125a5006c1e597e7235f.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bd0536bbb58125a5006c1e597e7235f.exe"C:\Users\Admin\AppData\Local\Temp\1bd0536bbb58125a5006c1e597e7235f.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\1bd0536bbb58125a5006c1e597e7235f.exeC:\Users\Admin\AppData\Local\Temp\1bd0536bbb58125a5006c1e597e7235f.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:5024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD5107bf350590d7dbd1ea5817e34b617ce
SHA11e085b239c4897e780c63a4e7a9533dc89be96da
SHA2561d532c6d64d23c3586e0276ecf0d5659963c8de8788ace565bd68b6f14e0add5
SHA51294611ae5e5865564d4a59e8b16d298b396b14dc271ae5188efda360bb2e2c89aeaed80d69780f91c5ba51f0b407db91d96d4dce6fc84175ac951074b1eea7cec