Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
169s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 04:29
Behavioral task
behavioral1
Sample
283019e3b6a05e02374d815d85e39a08.exe
Resource
win7-20231215-en
General
-
Target
283019e3b6a05e02374d815d85e39a08.exe
-
Size
784KB
-
MD5
283019e3b6a05e02374d815d85e39a08
-
SHA1
79fa3abf7713e7559a687a54dda3498d565ed77d
-
SHA256
5965844b40f536a7ef45f0d22399f362e56efb58ce6fdc3e913511475f46a955
-
SHA512
472edc8f642fd25e10246e014b420ba6f66049f54ed37be4e8459cc7ba8c58a4bcb7c1927013ac1a5612c694b2c5737d1108c5b8b4c7992b1f5073b82644c1ad
-
SSDEEP
24576:MCXzdrmJqtF2p1x/B8kX9pGRr3UHVFxZ:M8tmK2p1YEp4kHXxZ
Malware Config
Signatures
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral2/memory/1504-2-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/1504-13-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/4196-15-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/4196-21-0x00000000053A0000-0x0000000005533000-memory.dmp xmrig behavioral2/memory/4196-22-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral2/memory/4196-32-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral2/memory/4196-31-0x00000000005A0000-0x000000000071F000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 4196 283019e3b6a05e02374d815d85e39a08.exe -
Executes dropped EXE 1 IoCs
pid Process 4196 283019e3b6a05e02374d815d85e39a08.exe -
resource yara_rule behavioral2/memory/1504-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral2/files/0x000800000002315a-12.dat upx behavioral2/memory/4196-14-0x0000000000400000-0x0000000000712000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1504 283019e3b6a05e02374d815d85e39a08.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1504 283019e3b6a05e02374d815d85e39a08.exe 4196 283019e3b6a05e02374d815d85e39a08.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1504 wrote to memory of 4196 1504 283019e3b6a05e02374d815d85e39a08.exe 94 PID 1504 wrote to memory of 4196 1504 283019e3b6a05e02374d815d85e39a08.exe 94 PID 1504 wrote to memory of 4196 1504 283019e3b6a05e02374d815d85e39a08.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\283019e3b6a05e02374d815d85e39a08.exe"C:\Users\Admin\AppData\Local\Temp\283019e3b6a05e02374d815d85e39a08.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\283019e3b6a05e02374d815d85e39a08.exeC:\Users\Admin\AppData\Local\Temp\283019e3b6a05e02374d815d85e39a08.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4196
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119KB
MD5f283979e5faef69d46db8003a6d4c0a8
SHA1aba36e892957f45929904e63cffa8d58758582f5
SHA256b5cbb7c387e39f5e3ac9db2a5dfcd63d8e7ca6fb3801b643689d3ae1a48dbcb1
SHA5120e5b0d9dd397bdaa28b24696f346149363cc3687e9c095f0f9ea2bd14cb9dd569738422e15878b639fd6c1b3f0b6bb68ef1b75396dec4f1b0feced18597ba271