Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
168s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 02:49
Static task
static1
Behavioral task
behavioral1
Sample
2525b0f3a69a183eb2d609bb7aeb5b6e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2525b0f3a69a183eb2d609bb7aeb5b6e.exe
Resource
win10v2004-20231215-en
General
-
Target
2525b0f3a69a183eb2d609bb7aeb5b6e.exe
-
Size
1000KB
-
MD5
2525b0f3a69a183eb2d609bb7aeb5b6e
-
SHA1
5334ff947ddf8a36c9fbf0d9c5a2bf97ecc34fbb
-
SHA256
5848719114199ccfb664315ffba0d8c8715a0761646ed6daf2108b5f3028bfe3
-
SHA512
07932cc496473e009b1d80280ca88c06431a92fc35d87a298432decf9e97396f1674d42a4ed4fc22eb570eb5d4f08e0bcd72adbac81af977177448a56b2f3f60
-
SSDEEP
12288:nOY+AA+FcNigV9JAJ+QsYoAKQUehhtTCWc0QEF8avECaBwQ2tb5JLrnylUPqt0gD:nRLAvDCJ+YlHT7c0y1B+5vMiqt0gj2ed
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2436 2525b0f3a69a183eb2d609bb7aeb5b6e.exe -
Executes dropped EXE 1 IoCs
pid Process 2436 2525b0f3a69a183eb2d609bb7aeb5b6e.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2436 2525b0f3a69a183eb2d609bb7aeb5b6e.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4952 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2436 2525b0f3a69a183eb2d609bb7aeb5b6e.exe 2436 2525b0f3a69a183eb2d609bb7aeb5b6e.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5112 2525b0f3a69a183eb2d609bb7aeb5b6e.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 5112 2525b0f3a69a183eb2d609bb7aeb5b6e.exe 2436 2525b0f3a69a183eb2d609bb7aeb5b6e.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5112 wrote to memory of 2436 5112 2525b0f3a69a183eb2d609bb7aeb5b6e.exe 91 PID 5112 wrote to memory of 2436 5112 2525b0f3a69a183eb2d609bb7aeb5b6e.exe 91 PID 5112 wrote to memory of 2436 5112 2525b0f3a69a183eb2d609bb7aeb5b6e.exe 91 PID 2436 wrote to memory of 4952 2436 2525b0f3a69a183eb2d609bb7aeb5b6e.exe 93 PID 2436 wrote to memory of 4952 2436 2525b0f3a69a183eb2d609bb7aeb5b6e.exe 93 PID 2436 wrote to memory of 4952 2436 2525b0f3a69a183eb2d609bb7aeb5b6e.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\2525b0f3a69a183eb2d609bb7aeb5b6e.exe"C:\Users\Admin\AppData\Local\Temp\2525b0f3a69a183eb2d609bb7aeb5b6e.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\2525b0f3a69a183eb2d609bb7aeb5b6e.exeC:\Users\Admin\AppData\Local\Temp\2525b0f3a69a183eb2d609bb7aeb5b6e.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\2525b0f3a69a183eb2d609bb7aeb5b6e.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:4952
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1000KB
MD562aafddc66cb84d8577e10ffab7ddc2c
SHA1515fe6fc3ce4d7cee55c1e4a8a821977028083da
SHA256de317eb0c54b5e8b56f6c2dbb0aec48144207217ef3067f8cba82f782cb543d2
SHA512728bd4f015193f8e89048a05dad5c6883110cf411a69720e7099d30004f7219ba8732b7e0a39f9b7df95cb7db81482bd4d957e4a2e1448fec455f42e3a3777cf