Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 07:01
Static task
static1
Behavioral task
behavioral1
Sample
2c8da42fc892a474a10a624134018377.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2c8da42fc892a474a10a624134018377.exe
Resource
win10v2004-20231215-en
General
-
Target
2c8da42fc892a474a10a624134018377.exe
-
Size
385KB
-
MD5
2c8da42fc892a474a10a624134018377
-
SHA1
cd534173d827bdc7cc47bc2fd5c589a520b0ba0f
-
SHA256
284c86db1dad8ab3bab5a18e36b63b7228dcc6fff6829387e54de181938af597
-
SHA512
ef33b9118ff0abc7f201c2b4ed235833885e97172c47a34350db398399f49246906bec5e1dc7c244abff17520dfad6377ffb0e6e681c77ab801451ab22f854a5
-
SSDEEP
12288:omXaBXl4BtlLz3CCe1tx/HRPT3gCXifGB:LLFb41jR73rfB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1372 2c8da42fc892a474a10a624134018377.exe -
Executes dropped EXE 1 IoCs
pid Process 1372 2c8da42fc892a474a10a624134018377.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 5c0000000100000004000000000800000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 2c8da42fc892a474a10a624134018377.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 2c8da42fc892a474a10a624134018377.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3768 2c8da42fc892a474a10a624134018377.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3768 2c8da42fc892a474a10a624134018377.exe 1372 2c8da42fc892a474a10a624134018377.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3768 wrote to memory of 1372 3768 2c8da42fc892a474a10a624134018377.exe 91 PID 3768 wrote to memory of 1372 3768 2c8da42fc892a474a10a624134018377.exe 91 PID 3768 wrote to memory of 1372 3768 2c8da42fc892a474a10a624134018377.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c8da42fc892a474a10a624134018377.exe"C:\Users\Admin\AppData\Local\Temp\2c8da42fc892a474a10a624134018377.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\2c8da42fc892a474a10a624134018377.exeC:\Users\Admin\AppData\Local\Temp\2c8da42fc892a474a10a624134018377.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:1372
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5646f4a9765c2a83791797ef931b457b6
SHA17d3166f4efe92fafb73147361c3f9aa432e8cc83
SHA256e746d73ee3511463ccd5cbf14acda339ed7f9b6e5b2d86147b506195635fb43c
SHA512665b80051c661d8cf76f0e076fb1c272569cf34f241ecd89b6a7251bdf1e490aaf114fe46331f392b492d0242ae3862e2f326f5daffc5a18a422712824b235f0