Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
194s -
max time network
214s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 07:18
Static task
static1
Behavioral task
behavioral1
Sample
2d17cc03b9decd284455c899013340b2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2d17cc03b9decd284455c899013340b2.exe
Resource
win10v2004-20231215-en
General
-
Target
2d17cc03b9decd284455c899013340b2.exe
-
Size
385KB
-
MD5
2d17cc03b9decd284455c899013340b2
-
SHA1
929ebd22249f497e93c259d21b6716155f5b302b
-
SHA256
d4ddf8a7e44b6d8354ef049f8b6382efe56b3d1cfa1ecb3be4b6e1cc7674f276
-
SHA512
af7826855fe803e64a0c001f893619ce54a3903e97b7b530a51f91e91bae93a8424db31f90dad56701f783cb0861011e9b032ce2329c97eef1009710caa83528
-
SSDEEP
12288:mhXSlx9lwrK9eAuqmHC7IwVe/LfmJwaiHnI8QrWyudiB:mhXk919eAuqmHCMakfmEHI8QrWNiB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4964 2d17cc03b9decd284455c899013340b2.exe -
Executes dropped EXE 1 IoCs
pid Process 4964 2d17cc03b9decd284455c899013340b2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2084 2d17cc03b9decd284455c899013340b2.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2084 2d17cc03b9decd284455c899013340b2.exe 4964 2d17cc03b9decd284455c899013340b2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2084 wrote to memory of 4964 2084 2d17cc03b9decd284455c899013340b2.exe 91 PID 2084 wrote to memory of 4964 2084 2d17cc03b9decd284455c899013340b2.exe 91 PID 2084 wrote to memory of 4964 2084 2d17cc03b9decd284455c899013340b2.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d17cc03b9decd284455c899013340b2.exe"C:\Users\Admin\AppData\Local\Temp\2d17cc03b9decd284455c899013340b2.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\2d17cc03b9decd284455c899013340b2.exeC:\Users\Admin\AppData\Local\Temp\2d17cc03b9decd284455c899013340b2.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD59ee9598cab44810e43bafe7c19ee5bf0
SHA18be6632602308cd6b7301e3a6ecda2d82c45e54a
SHA256453be6ac2a11bbf6bd2e311af9f45d532ae5d55716a626851630cfe2da86e6b4
SHA5129ffc8f9b413951493556c3ec50e4129b8b32372505edd2fad7ae8fde75c6cef99dd7c68604441ccc579999157d5d75ea474d357a53a5bcdeec72dce0af4fdb77