Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 21:03
Static task
static1
Behavioral task
behavioral1
Sample
3b0c097bb30396d26b3cfa4d06da47fb.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3b0c097bb30396d26b3cfa4d06da47fb.exe
Resource
win10v2004-20231215-en
General
-
Target
3b0c097bb30396d26b3cfa4d06da47fb.exe
-
Size
385KB
-
MD5
3b0c097bb30396d26b3cfa4d06da47fb
-
SHA1
90db119e3986bf32d71619d89494bdee0007c116
-
SHA256
a4b0bc18733c1f407ff47f492d3f9c14b19e336f9b49b7984e947923df04283a
-
SHA512
86216f22b380a3e3e5a364180e7c749208c2035b87663ffd039039cd20c0e78f8e644f199c4689ccce367df42be68eecbd7fbece2cb510c425c1b880cb67ec1d
-
SSDEEP
12288:vgR27WNZF9zKakxUmRklPX4I7xjtgmaCVbAHUsJNB:vNaNZF9wUmihD70makbAH/bB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1896 3b0c097bb30396d26b3cfa4d06da47fb.exe -
Executes dropped EXE 1 IoCs
pid Process 1896 3b0c097bb30396d26b3cfa4d06da47fb.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4732 3b0c097bb30396d26b3cfa4d06da47fb.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4732 3b0c097bb30396d26b3cfa4d06da47fb.exe 1896 3b0c097bb30396d26b3cfa4d06da47fb.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4732 wrote to memory of 1896 4732 3b0c097bb30396d26b3cfa4d06da47fb.exe 89 PID 4732 wrote to memory of 1896 4732 3b0c097bb30396d26b3cfa4d06da47fb.exe 89 PID 4732 wrote to memory of 1896 4732 3b0c097bb30396d26b3cfa4d06da47fb.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b0c097bb30396d26b3cfa4d06da47fb.exe"C:\Users\Admin\AppData\Local\Temp\3b0c097bb30396d26b3cfa4d06da47fb.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\3b0c097bb30396d26b3cfa4d06da47fb.exeC:\Users\Admin\AppData\Local\Temp\3b0c097bb30396d26b3cfa4d06da47fb.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD54d76c81452545885f8d031eaae6aa7c6
SHA13e5ca7f3ef04aca69804b5fe9554f31ad42c185d
SHA256ae78517393c71e8bbd6494ac5c5b8554adb968f995b2a7fe5f7f0a86eadfc78b
SHA5129363f288e67f1d92424e68034086584c42e1c95e59cbdccbc6cfb9b6e1881874c7d211e095c4ad97926548cc6c7df60df6927bcd5c2dbe63c5122d5decb33ce3