Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
159s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/01/2024, 11:18
Behavioral task
behavioral1
Sample
40b8596fe0b63ce0b4c5d3486af69aab.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
40b8596fe0b63ce0b4c5d3486af69aab.exe
Resource
win10v2004-20231215-en
General
-
Target
40b8596fe0b63ce0b4c5d3486af69aab.exe
-
Size
2.9MB
-
MD5
40b8596fe0b63ce0b4c5d3486af69aab
-
SHA1
b8ddb3807abad21e4b9e7b616b659aefe9186f0f
-
SHA256
aa70757781862362bd4fae8abe77bc9cf3f72bb4a8d8e265f11308d875390fae
-
SHA512
cac38a48945fa000a06aa1ac65ba4aa685e10d3feaf1aebb72530eb9e183b10cd4bf8157fd0e167345adb04d7f5e4fdbda37fa1d014d1a084055730d2930b612
-
SSDEEP
49152:QjIwooyvk/kGX5PRxisfNdwmBNAagdoSwnE4GWasXmKE1YVFw7c+1mpEyPh38:ZweM/kGX37fNJ1qf4GWdXlE1iFv+S78
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4592 40b8596fe0b63ce0b4c5d3486af69aab.exe -
Executes dropped EXE 1 IoCs
pid Process 4592 40b8596fe0b63ce0b4c5d3486af69aab.exe -
resource yara_rule behavioral2/memory/3484-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x000500000001e715-11.dat upx behavioral2/memory/4592-13-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3484 40b8596fe0b63ce0b4c5d3486af69aab.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3484 40b8596fe0b63ce0b4c5d3486af69aab.exe 4592 40b8596fe0b63ce0b4c5d3486af69aab.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3484 wrote to memory of 4592 3484 40b8596fe0b63ce0b4c5d3486af69aab.exe 90 PID 3484 wrote to memory of 4592 3484 40b8596fe0b63ce0b4c5d3486af69aab.exe 90 PID 3484 wrote to memory of 4592 3484 40b8596fe0b63ce0b4c5d3486af69aab.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\40b8596fe0b63ce0b4c5d3486af69aab.exe"C:\Users\Admin\AppData\Local\Temp\40b8596fe0b63ce0b4c5d3486af69aab.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\40b8596fe0b63ce0b4c5d3486af69aab.exeC:\Users\Admin\AppData\Local\Temp\40b8596fe0b63ce0b4c5d3486af69aab.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4592
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD597dcd5e5e96a04bd94b8cecdaede27cf
SHA1e8f2d47d143f442a864c91e12cda6a85a9115939
SHA256f65df62460c468814c6b7e1b3147813359f6bd3691a1c82b151e8b54acadc7cb
SHA512e9e5c04b196304b19bd30a0fe5d1effd87348bd39652d30f97df38788661620ea4d8787cbafcfab8f9eb530caf828a71395ec9a9aab120f8cd5d7dbb64ba6794