Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 00:34
Behavioral task
behavioral1
Sample
21df7b89e709cb3f8d3dec426de9db49.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
21df7b89e709cb3f8d3dec426de9db49.exe
Resource
win10v2004-20231222-en
General
-
Target
21df7b89e709cb3f8d3dec426de9db49.exe
-
Size
1.3MB
-
MD5
21df7b89e709cb3f8d3dec426de9db49
-
SHA1
646cf7f0366f2dbc7c49594420772f9bd7f7ea05
-
SHA256
02236c199aef0eb74f2131038a2e22d17d46be9fb57c0f3733b2571d44fffd39
-
SHA512
a217184c9a94a7dffa9f02e64f6ca537c9f6324a6bdca982a5c38531b1a36c6047c9c5ef47069bd3c556d903eebab23325b64b9cae05825fefee2afddeb82ad6
-
SSDEEP
24576:vQJ45dmKJXUkQMaaNZxU2D8JWkjJMZ2nCSXuZ7XXoV5diuRucdkgWc:UodLBEa7C22zJMZwvuZEBiuRuwvp
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1664 21df7b89e709cb3f8d3dec426de9db49.exe -
Executes dropped EXE 1 IoCs
pid Process 1664 21df7b89e709cb3f8d3dec426de9db49.exe -
resource yara_rule behavioral2/memory/1508-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/memory/1664-13-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x000600000001e5df-11.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1508 21df7b89e709cb3f8d3dec426de9db49.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1508 21df7b89e709cb3f8d3dec426de9db49.exe 1664 21df7b89e709cb3f8d3dec426de9db49.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1508 wrote to memory of 1664 1508 21df7b89e709cb3f8d3dec426de9db49.exe 91 PID 1508 wrote to memory of 1664 1508 21df7b89e709cb3f8d3dec426de9db49.exe 91 PID 1508 wrote to memory of 1664 1508 21df7b89e709cb3f8d3dec426de9db49.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\21df7b89e709cb3f8d3dec426de9db49.exe"C:\Users\Admin\AppData\Local\Temp\21df7b89e709cb3f8d3dec426de9db49.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\21df7b89e709cb3f8d3dec426de9db49.exeC:\Users\Admin\AppData\Local\Temp\21df7b89e709cb3f8d3dec426de9db49.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1664
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
377KB
MD56f0a61328c53a0a73bf2c6a0da182ad8
SHA12dc384f318df05546ca1ef6df0f36f9b37b8d664
SHA2564819d1ec6824fad24cd66306899efd6d818dbebfda575b708c5781e9d65cace6
SHA512b4a696bfcd909eb534072d91f3966611f4ab5a999cc6b1530237f9899cade2017a9b7c7d67598a5eefa86a93e581a84fef9ca3f952ebe28d6eb2445575b22d34