Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/01/2024, 12:14
Static task
static1
Behavioral task
behavioral1
Sample
40d4a2556e43eac71a9e7ce1d4a76fe6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
40d4a2556e43eac71a9e7ce1d4a76fe6.exe
Resource
win10v2004-20231215-en
General
-
Target
40d4a2556e43eac71a9e7ce1d4a76fe6.exe
-
Size
385KB
-
MD5
40d4a2556e43eac71a9e7ce1d4a76fe6
-
SHA1
77c34ac35884ea9f22b445705a60c4a85fd4f9a6
-
SHA256
3ebe33a72f5f93e9f3cb98c41164f3c3915adda7da334e5e928574dfc0cac5e0
-
SHA512
a966be9c26a837e942a1bd134b7dc55c5f06c49127de715f9b00a7a979d523608c4805168be79ec857b84b4f151145891529bd983755a8ff7ce13f3ad48e439f
-
SSDEEP
12288:S6w+lQKsLKJJAdnDRWoG3SllL7kNCtWTPB:Vw+lQCohG3slLRaB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4992 40d4a2556e43eac71a9e7ce1d4a76fe6.exe -
Executes dropped EXE 1 IoCs
pid Process 4992 40d4a2556e43eac71a9e7ce1d4a76fe6.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2664 40d4a2556e43eac71a9e7ce1d4a76fe6.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2664 40d4a2556e43eac71a9e7ce1d4a76fe6.exe 4992 40d4a2556e43eac71a9e7ce1d4a76fe6.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2664 wrote to memory of 4992 2664 40d4a2556e43eac71a9e7ce1d4a76fe6.exe 37 PID 2664 wrote to memory of 4992 2664 40d4a2556e43eac71a9e7ce1d4a76fe6.exe 37 PID 2664 wrote to memory of 4992 2664 40d4a2556e43eac71a9e7ce1d4a76fe6.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\40d4a2556e43eac71a9e7ce1d4a76fe6.exe"C:\Users\Admin\AppData\Local\Temp\40d4a2556e43eac71a9e7ce1d4a76fe6.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\40d4a2556e43eac71a9e7ce1d4a76fe6.exeC:\Users\Admin\AppData\Local\Temp\40d4a2556e43eac71a9e7ce1d4a76fe6.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD5cab97f78ff1b7f69a0b4a1feb1edf289
SHA19b8ad56f81c8fa2341b6feeb3938a33b24e01f7b
SHA2567a80e1edbf0e7445e7a548072fa076739e3a1c3fd5d03b813fdf1bbb7d9e5223
SHA51209ac5901abb12983638378af594b94ae493c7db02b4ea0c1e6cf238ed5263155ca04266ed62c4b6322b27784d4672e939a2fb928ae05c548bd15940c7ed2f0b4