Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
206s -
max time network
220s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 04:46
Static task
static1
Behavioral task
behavioral1
Sample
28c0a9b257bfade703487e1b3263bf1c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
28c0a9b257bfade703487e1b3263bf1c.exe
Resource
win10v2004-20231215-en
General
-
Target
28c0a9b257bfade703487e1b3263bf1c.exe
-
Size
163KB
-
MD5
28c0a9b257bfade703487e1b3263bf1c
-
SHA1
1044052eebeac81434c730f8743df92a9ae04474
-
SHA256
f852706d8e5a460a798a26ad4f2113fdf2ff54812916f8adfe1e6bc83328bd03
-
SHA512
47ed2745700aa25eb9c12eddfb81cb3a1fa5884a71db5d8f2f45a6da7a49ab5528ec587958a3708883276759e7da6e15e31297d1243aa1ece5f2bbeefef7f739
-
SSDEEP
3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/e8U:o68i3odBiTl2+TCU/e
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" 28c0a9b257bfade703487e1b3263bf1c.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\SHARE_TEMP\Icon2.ico 28c0a9b257bfade703487e1b3263bf1c.exe File created C:\Windows\SHARE_TEMP\Icon3.ico 28c0a9b257bfade703487e1b3263bf1c.exe File created C:\Windows\SHARE_TEMP\Icon5.ico 28c0a9b257bfade703487e1b3263bf1c.exe File created C:\Windows\SHARE_TEMP\Icon14.ico 28c0a9b257bfade703487e1b3263bf1c.exe File created C:\Windows\winhash_up.exez 28c0a9b257bfade703487e1b3263bf1c.exe File opened for modification C:\Windows\winhash_up.exez 28c0a9b257bfade703487e1b3263bf1c.exe File created C:\Windows\winhash_up.exe 28c0a9b257bfade703487e1b3263bf1c.exe File created C:\Windows\SHARE_TEMP\Icon6.ico 28c0a9b257bfade703487e1b3263bf1c.exe File created C:\Windows\SHARE_TEMP\Icon7.ico 28c0a9b257bfade703487e1b3263bf1c.exe File created C:\Windows\SHARE_TEMP\Icon10.ico 28c0a9b257bfade703487e1b3263bf1c.exe File created C:\Windows\SHARE_TEMP\Icon12.ico 28c0a9b257bfade703487e1b3263bf1c.exe File created C:\Windows\bugMAKER.bat 28c0a9b257bfade703487e1b3263bf1c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4672 wrote to memory of 3440 4672 28c0a9b257bfade703487e1b3263bf1c.exe 91 PID 4672 wrote to memory of 3440 4672 28c0a9b257bfade703487e1b3263bf1c.exe 91 PID 4672 wrote to memory of 3440 4672 28c0a9b257bfade703487e1b3263bf1c.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\28c0a9b257bfade703487e1b3263bf1c.exe"C:\Users\Admin\AppData\Local\Temp\28c0a9b257bfade703487e1b3263bf1c.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\bugMAKER.bat2⤵PID:3440
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD5feb562a95dbd5fa37b8db2294f10e95a
SHA147f7dab58f4862d5187ba2f11a6a8e497cb6d5de
SHA2566c387661d4ada2711fa090402de670cf0852e7e7d99610e8fd4e70c4ce09bf06
SHA512ce44ae6173cff084defcdfa1ad46702307581010724926404abd45f694bb25a087d3946a48b104ace10310eac484b5d45fb09abe42115bf083d5e426ba151d01