Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2024, 22:17
Static task
static1
Behavioral task
behavioral1
Sample
3f29cd0cfb5491555e73d139f7b22571.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3f29cd0cfb5491555e73d139f7b22571.exe
Resource
win10v2004-20231215-en
General
-
Target
3f29cd0cfb5491555e73d139f7b22571.exe
-
Size
1000KB
-
MD5
3f29cd0cfb5491555e73d139f7b22571
-
SHA1
134f47ae6a880fa204158f05e8a09d214455b25b
-
SHA256
b778d56f07e313698cbffcd2da113664bd53507f10d4795d58984a1c635feca8
-
SHA512
864474453a7346a53cba24f0baa70a37e01b339e776fc704286ef8da2ca3e9e21e6b4a862e9bf945d695bbd7c9a49c571090a11b4d50538f5e79393f158883c3
-
SSDEEP
24576:tgdg8/WBaQX/Heu6e8elM41B+5vMiqt0gj2ed:N7/QSqOL
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1060 3f29cd0cfb5491555e73d139f7b22571.exe -
Executes dropped EXE 1 IoCs
pid Process 1060 3f29cd0cfb5491555e73d139f7b22571.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1060 3f29cd0cfb5491555e73d139f7b22571.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3936 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1060 3f29cd0cfb5491555e73d139f7b22571.exe 1060 3f29cd0cfb5491555e73d139f7b22571.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3340 3f29cd0cfb5491555e73d139f7b22571.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3340 3f29cd0cfb5491555e73d139f7b22571.exe 1060 3f29cd0cfb5491555e73d139f7b22571.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3340 wrote to memory of 1060 3340 3f29cd0cfb5491555e73d139f7b22571.exe 87 PID 3340 wrote to memory of 1060 3340 3f29cd0cfb5491555e73d139f7b22571.exe 87 PID 3340 wrote to memory of 1060 3340 3f29cd0cfb5491555e73d139f7b22571.exe 87 PID 1060 wrote to memory of 3936 1060 3f29cd0cfb5491555e73d139f7b22571.exe 93 PID 1060 wrote to memory of 3936 1060 3f29cd0cfb5491555e73d139f7b22571.exe 93 PID 1060 wrote to memory of 3936 1060 3f29cd0cfb5491555e73d139f7b22571.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f29cd0cfb5491555e73d139f7b22571.exe"C:\Users\Admin\AppData\Local\Temp\3f29cd0cfb5491555e73d139f7b22571.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\3f29cd0cfb5491555e73d139f7b22571.exeC:\Users\Admin\AppData\Local\Temp\3f29cd0cfb5491555e73d139f7b22571.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\3f29cd0cfb5491555e73d139f7b22571.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:3936
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD55e723aede05496f085106078477042c2
SHA19621ed51c13f5b30b38e7707163bd7b884718838
SHA256d099e1046f6bd81f21210a6c9001469974805f2ab4165628e0113e64c43f71e5
SHA51206103cff5d7d27b4ae364b8d02ea4b16c8ffe2f0219a4890d9ce0594cadeeba750c1ccac9b18be8946aad693669e18b33ccc0da1f4f8bb080126f168a000b296