Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/01/2024, 00:56
Static task
static1
Behavioral task
behavioral1
Sample
3f7d088afd8d2b93c003ba513b8a5534.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3f7d088afd8d2b93c003ba513b8a5534.exe
Resource
win10v2004-20231215-en
General
-
Target
3f7d088afd8d2b93c003ba513b8a5534.exe
-
Size
385KB
-
MD5
3f7d088afd8d2b93c003ba513b8a5534
-
SHA1
184f868394acec1091e84caf7894c43b8689de47
-
SHA256
aede44db6447287c88450d6dd1cd142a8737f641f9dd46b5290c991ec0caa5d8
-
SHA512
c9cfd60e95e9974e023ee1902763d324a94fa51b83e76a0b58720dc676bffc691e7a7900633daa36d724d82ec69e5b38e79fba1f2bc5d162d06c1c6fc3928d22
-
SSDEEP
6144:oiXanJgmNb+8DyVCyhf6EO0tj5Gq7E4Tv2f+/fWbBXBWhAZG8r90/lQ1fagB:oiXal+lhhf40tj55vU+mXtZGB/eB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4016 3f7d088afd8d2b93c003ba513b8a5534.exe -
Executes dropped EXE 1 IoCs
pid Process 4016 3f7d088afd8d2b93c003ba513b8a5534.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4832 3f7d088afd8d2b93c003ba513b8a5534.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4832 3f7d088afd8d2b93c003ba513b8a5534.exe 4016 3f7d088afd8d2b93c003ba513b8a5534.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4832 wrote to memory of 4016 4832 3f7d088afd8d2b93c003ba513b8a5534.exe 90 PID 4832 wrote to memory of 4016 4832 3f7d088afd8d2b93c003ba513b8a5534.exe 90 PID 4832 wrote to memory of 4016 4832 3f7d088afd8d2b93c003ba513b8a5534.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f7d088afd8d2b93c003ba513b8a5534.exe"C:\Users\Admin\AppData\Local\Temp\3f7d088afd8d2b93c003ba513b8a5534.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\3f7d088afd8d2b93c003ba513b8a5534.exeC:\Users\Admin\AppData\Local\Temp\3f7d088afd8d2b93c003ba513b8a5534.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD5f43b7844868daf3eaf195c4a18d32271
SHA1f529920e19e4f2ef6f6474daa0d9134a0145cc7f
SHA2563d522fa0b9fb4ff26ebd65b388e36124340f7372b56634a89a4d049a17a090c3
SHA512f22aa6307771d1d71731b73c87af3dbd5372b84e080f79c04a680046873c043932654c52ddcb95e428493f0026b1b88be987bcf1bab5d883208400b9a97c4154