Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 14:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
39f647b46b0a6e4f91efb19f122fb985.exe
Resource
win7-20231215-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
39f647b46b0a6e4f91efb19f122fb985.exe
Resource
win10v2004-20231222-en
6 signatures
150 seconds
General
-
Target
39f647b46b0a6e4f91efb19f122fb985.exe
-
Size
385KB
-
MD5
39f647b46b0a6e4f91efb19f122fb985
-
SHA1
82bb30ce1ae0c04c17c421bda870c0971d532e39
-
SHA256
bcf2f30e62c5144aa402b0b662caf61777c37fc0bbe458517fdc775706b37041
-
SHA512
b5345d8c2e5ba83a30c3e6d22d268e6994bdcfc6e54d5e0571e187d878c6378394022fadb40e88292b0a092ca8778afad1d41e7f0d90c6d3ce1fed60107be6e7
-
SSDEEP
12288:ZWRbjyKQ9ll+lOGGLtjfs8ZIG8bS4SlzyTgB:ZWRbUll7GoxfnZUslSgB
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1200 39f647b46b0a6e4f91efb19f122fb985.exe -
Executes dropped EXE 1 IoCs
pid Process 1200 39f647b46b0a6e4f91efb19f122fb985.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3656 39f647b46b0a6e4f91efb19f122fb985.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3656 39f647b46b0a6e4f91efb19f122fb985.exe 1200 39f647b46b0a6e4f91efb19f122fb985.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3656 wrote to memory of 1200 3656 39f647b46b0a6e4f91efb19f122fb985.exe 18 PID 3656 wrote to memory of 1200 3656 39f647b46b0a6e4f91efb19f122fb985.exe 18 PID 3656 wrote to memory of 1200 3656 39f647b46b0a6e4f91efb19f122fb985.exe 18
Processes
-
C:\Users\Admin\AppData\Local\Temp\39f647b46b0a6e4f91efb19f122fb985.exe"C:\Users\Admin\AppData\Local\Temp\39f647b46b0a6e4f91efb19f122fb985.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\39f647b46b0a6e4f91efb19f122fb985.exeC:\Users\Admin\AppData\Local\Temp\39f647b46b0a6e4f91efb19f122fb985.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1200
-