Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/01/2024, 11:17
Static task
static1
Behavioral task
behavioral1
Sample
40b7fd74f56258a845275f8e58194e04.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
40b7fd74f56258a845275f8e58194e04.exe
Resource
win10v2004-20231215-en
General
-
Target
40b7fd74f56258a845275f8e58194e04.exe
-
Size
385KB
-
MD5
40b7fd74f56258a845275f8e58194e04
-
SHA1
6de988cfddea856b0cee77ebb66b10b3ffa8e4e0
-
SHA256
145232f1985f43ad9ddd62f94356021595fe8d11a225a18e980f0e637dfc04cc
-
SHA512
6ebdcd8daa82d135fac8890d5177ff3b740d4c1eb1f94d9ed475e6fdb6f07523265d52c72fe691cfcb296cb244cb9cc0315b2f071716665edb09e3266553f85e
-
SSDEEP
6144:D9HzHmWp7sucnJFRGQydsBvydPRhE5QAN/A/EyBRDJnv/r4RPeof2Dcu0Qd7cgrB:lzHvxcnVkshydPo21RDiR/Q+chrB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 5024 40b7fd74f56258a845275f8e58194e04.exe -
Executes dropped EXE 1 IoCs
pid Process 5024 40b7fd74f56258a845275f8e58194e04.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 624 40b7fd74f56258a845275f8e58194e04.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 624 40b7fd74f56258a845275f8e58194e04.exe 5024 40b7fd74f56258a845275f8e58194e04.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 624 wrote to memory of 5024 624 40b7fd74f56258a845275f8e58194e04.exe 29 PID 624 wrote to memory of 5024 624 40b7fd74f56258a845275f8e58194e04.exe 29 PID 624 wrote to memory of 5024 624 40b7fd74f56258a845275f8e58194e04.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\40b7fd74f56258a845275f8e58194e04.exe"C:\Users\Admin\AppData\Local\Temp\40b7fd74f56258a845275f8e58194e04.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\40b7fd74f56258a845275f8e58194e04.exeC:\Users\Admin\AppData\Local\Temp\40b7fd74f56258a845275f8e58194e04.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:5024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5a928b3829521987e8609adf59efd1d05
SHA1305ac50ce0e059b8f7f552ddc152558d29e5c4c2
SHA256e6d3f9be634988b50a89ed0059bd844e310b618f25731e82169cc7a4cc24c211
SHA512351760618b52dfbf41f090728c2dd94e9416dabf8d2d206b82a579453f8d465d599ba334645d048c71cf3dd6f02e4a3948ee36808c872768ec80c399f475fa96