Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 04:08
Static task
static1
Behavioral task
behavioral1
Sample
278d479b3f23f0bc0886ef677d77c4ce.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
278d479b3f23f0bc0886ef677d77c4ce.exe
Resource
win10v2004-20231215-en
General
-
Target
278d479b3f23f0bc0886ef677d77c4ce.exe
-
Size
1000KB
-
MD5
278d479b3f23f0bc0886ef677d77c4ce
-
SHA1
ffab61b5d81d69000ce3c33846e0623322a92431
-
SHA256
bf48247527bda63086f064dce65c41807968733c7fd64a119ff2f0ac839e63f1
-
SHA512
af16a9355d67b74ef1b64ccb30bcbe4b0a28e89e1966de02c890f53e5fd91b66075904f4d7dcb479023a47eb1b248e0bb8e0ecf7d9445d12695e0feaf2c66219
-
SSDEEP
24576:L+8/BDn46USkmPwTuS1B+5vMiqt0gj2ed://BD46U3mITu4qOL
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2276 278d479b3f23f0bc0886ef677d77c4ce.exe -
Executes dropped EXE 1 IoCs
pid Process 2276 278d479b3f23f0bc0886ef677d77c4ce.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2276 278d479b3f23f0bc0886ef677d77c4ce.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2028 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2276 278d479b3f23f0bc0886ef677d77c4ce.exe 2276 278d479b3f23f0bc0886ef677d77c4ce.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5008 278d479b3f23f0bc0886ef677d77c4ce.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 5008 278d479b3f23f0bc0886ef677d77c4ce.exe 2276 278d479b3f23f0bc0886ef677d77c4ce.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5008 wrote to memory of 2276 5008 278d479b3f23f0bc0886ef677d77c4ce.exe 94 PID 5008 wrote to memory of 2276 5008 278d479b3f23f0bc0886ef677d77c4ce.exe 94 PID 5008 wrote to memory of 2276 5008 278d479b3f23f0bc0886ef677d77c4ce.exe 94 PID 2276 wrote to memory of 2028 2276 278d479b3f23f0bc0886ef677d77c4ce.exe 93 PID 2276 wrote to memory of 2028 2276 278d479b3f23f0bc0886ef677d77c4ce.exe 93 PID 2276 wrote to memory of 2028 2276 278d479b3f23f0bc0886ef677d77c4ce.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\278d479b3f23f0bc0886ef677d77c4ce.exe"C:\Users\Admin\AppData\Local\Temp\278d479b3f23f0bc0886ef677d77c4ce.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\278d479b3f23f0bc0886ef677d77c4ce.exeC:\Users\Admin\AppData\Local\Temp\278d479b3f23f0bc0886ef677d77c4ce.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2276
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\278d479b3f23f0bc0886ef677d77c4ce.exe" /TN Google_Trk_Updater /F1⤵
- Creates scheduled task(s)
PID:2028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1000KB
MD54c9fae746cede8334dcc0cbfa5ca1b6a
SHA13838b9c43455c713f9a429d8ad19eee239726fea
SHA25669a3d9144d56e015553b40079606180edbba5f4895991d639e55276d9fe53ff5
SHA512db888d57351547a703b9f9d6b5e30267e19304aedb077ce194a3be7c980020c83a9222627930cf29a794411fd7e2a1837859f0c7acea0c033d0eca6dfa91d4c7