Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 15:55
Static task
static1
Behavioral task
behavioral1
Sample
3a888b6f553a234b701c21546fa0b541.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3a888b6f553a234b701c21546fa0b541.exe
Resource
win10v2004-20231215-en
General
-
Target
3a888b6f553a234b701c21546fa0b541.exe
-
Size
208KB
-
MD5
3a888b6f553a234b701c21546fa0b541
-
SHA1
0fd1bbca094ddec1d662b83340a4aba8b87bf1d0
-
SHA256
aa0e6657837f655c76d0d28ca748b1c8a917337459bc2c7deeb1688dc628ec4e
-
SHA512
dc0664bb8dca7a71959d0deec9c92e608fcc31c7a56a5f785bafd10d45c15565e624b1846548003d04a47b3d6260a4c492851cd3c21ecb93c53b2ed43ce0e683
-
SSDEEP
3072:Ql2/rrWprOG4IjPexw7mB5LAYJxe+vbW7JVPFfraspRCEZLvBjwiUDGJ8Mub:Ql2/rr+hjQUMkgE+vahrTC+BjwiUCJI
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3664 u.dll 3908 mpress.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3176 wrote to memory of 848 3176 3a888b6f553a234b701c21546fa0b541.exe 17 PID 3176 wrote to memory of 848 3176 3a888b6f553a234b701c21546fa0b541.exe 17 PID 3176 wrote to memory of 848 3176 3a888b6f553a234b701c21546fa0b541.exe 17 PID 848 wrote to memory of 3664 848 cmd.exe 26 PID 848 wrote to memory of 3664 848 cmd.exe 26 PID 848 wrote to memory of 3664 848 cmd.exe 26 PID 3664 wrote to memory of 3908 3664 u.dll 21 PID 3664 wrote to memory of 3908 3664 u.dll 21 PID 3664 wrote to memory of 3908 3664 u.dll 21 PID 848 wrote to memory of 3604 848 cmd.exe 20 PID 848 wrote to memory of 3604 848 cmd.exe 20 PID 848 wrote to memory of 3604 848 cmd.exe 20
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a888b6f553a234b701c21546fa0b541.exe"C:\Users\Admin\AppData\Local\Temp\3a888b6f553a234b701c21546fa0b541.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4BCE.tmp\vir.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵PID:3604
-
-
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵PID:2960
-
-
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save 3a888b6f553a234b701c21546fa0b541.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664
-
-
-
C:\Users\Admin\AppData\Local\Temp\4C3B.tmp\mpress.exe"C:\Users\Admin\AppData\Local\Temp\4C3B.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4C3C.tmp"1⤵
- Executes dropped EXE
PID:3908
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:1276
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:1940
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e88f21a829f04c02fc51b8f478919eb1
SHA108abda4d48d783df8cb487cfb7d0edf763b96848
SHA256d2094e9feb861206a458a758bd550ed020f5582d4b8838900c4a77f44e933a33
SHA512e6ba6c90a8f37fc1c1d8390716cefb2432dce67f55b973820153d7d0843e2960bb1a52a69732b654d8c80a030b25c86f62c760432fd83168aaf8c39dec91d395
-
Filesize
24KB
MD50761d37b969cc4366e7270e7a2263bb1
SHA16c5e1d57655b72f878e488d6191285aefacb6895
SHA256dde7be8b9e49560cfedc381a148b31275675b04dcc4ec63eb2e6b8de9839da85
SHA512c5bb26b07329f1b19b4c3082fa91aa884f5176a6c04a71cf057c2ae16691b88ef1b3ee37a144de4fc27322c212195d0fe4e1cea8bef684e50502fc3e2609839b
-
Filesize
36KB
MD52372cf3b6266329db6d1a6148f55acb8
SHA1a7f454da024d90c483947462ff7fb439ec8210e7
SHA2568ad48d22b1705ed704d2a4e5ad3fbfc75128a717623edaac57001e8badfd514b
SHA512bbf82b24577733416c3cb8431989267e4a5647529a9c537e7e6fbdd0a92d02d00e806d2b60b2521342a217ab1083cee55f7bdd3442dbfc5ba782a6cb1db07fd9
-
Filesize
13KB
MD510992eea08679b138df5e6eab7cd0acf
SHA1a63ec2bf2f128e2a2bbc3f0ec07f7cb83fc11aee
SHA2561ae1272c3500cee8552cc5eaaa658d8d86cac1b4f107f995095c64db51a8539a
SHA512805020a974c91ab5446a95ce1650c406e2f2cc1cc37d8a03acaa38b0a1b5b08d16612267be16dc4a879bc732f93e1e2dc28e8619beffb8258fcbef918b62f910
-
Filesize
44KB
MD5ba5e44d48352c3e180cb4fc1bcc28465
SHA119cf5208e38b7034e328c12bf7e7e4c68152e7be
SHA256a85e2452afa011f9dc210cbdefb1133368d69528d99330fc3a95ed2fc4b3cc05
SHA5124c8bf315107e1002c22343571887d98bf1d899ed69a5776f3bae5f1d0c2fd843a36c1aac7dd9cdf44fb5803d27475b98272eadc5fb2d9124dfb257c81ed1afde
-
Filesize
104KB
MD541663233b8d06dd929ec31bcfd39ea1a
SHA16bfd00100fd634ce984c1898d80ce8770c29d265
SHA25667ee19556b811dc3c246071cf745dab186dd1228297afebd713742a405dc33d8
SHA51237a87d9de390cff432df3eeb05122814d63770f79644c39b749994543f72cd710a59d7344ed458e7879b0e53aeab8059e3b47e951e70718180fabb75833a36b3
-
Filesize
73KB
MD54a115fed5bb76b549ab69a6807ca4ada
SHA1a85234b95ca09f98a00145daef67999d11929fd8
SHA2566ee140ba824e052f88525f7b3d4f02a0623b350e9621d6f9f46eec1c173a67eb
SHA51239116cb50c518b93f65fdc71296a1060e06aa8a2853bea640f3bc9522d7c5d5a78f34c4bd30aa88a3516f25ca5f21e4bdfa1b8233a4a7ad42d91a21da6eb39b5
-
Filesize
43KB
MD54169587ebd0b701d8bea6cfec933358c
SHA18115bc035438f07d0f68203e3ec049c754b53f5c
SHA2560c4a617aeaa44503607ab6f85cab9aaba596127a5f1a868f047b965b7b7227ec
SHA5122446cecaf731c54f16246903c5c423727c02f2b5f8e92bd49e0fae87dd57ce7666ac7a1b600e820d6e57eef6f9e1887b2ff09a3ed007c4fa9da2f072c6a94fa4
-
Filesize
1KB
MD532cfeb3857d06dc6983d9da07f96715e
SHA17ead9d623ec1114c47a9337a19f93c38215d79af
SHA256a26042fe1f87cbec1ac420c4d6d7c490abb05fb74323ea84baa3582bee1d557d
SHA512c7f4afcdd0361ddf916de7f34dc6bd7f9151840464d434cef5b876ab1b283951f4ca71480cf4cda4b05071422ad49455a03959ac69cd7699a01fcd285a78fd40