Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/01/2024, 17:46
Static task
static1
Behavioral task
behavioral1
Sample
4183a1c1c0a8075fdaf6a1aaa35bfacb.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4183a1c1c0a8075fdaf6a1aaa35bfacb.exe
Resource
win10v2004-20231215-en
General
-
Target
4183a1c1c0a8075fdaf6a1aaa35bfacb.exe
-
Size
385KB
-
MD5
4183a1c1c0a8075fdaf6a1aaa35bfacb
-
SHA1
b92741ad4507cd674191a90e4457331968887e25
-
SHA256
c193816f5ed013ef0672b9e0fe6648ffccb1a58adc0f47daad73df6afbe5396a
-
SHA512
c21a886938fe72aed651d5138477a4933892573e9ef075ea68b84883b19407a7df1fb7d81a101080fe760fa5e64108549898efe7faeb7ad6012158f2ea6ed1bc
-
SSDEEP
6144:C/jzKpvk4A8FJ0lFvKdvbWzcqavlQUELHnlKHNWUs2uUk+Ae4pB:Ezavk4A8FICDKAvlQ5zlcNbDk5pB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2076 4183a1c1c0a8075fdaf6a1aaa35bfacb.exe -
Executes dropped EXE 1 IoCs
pid Process 2076 4183a1c1c0a8075fdaf6a1aaa35bfacb.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3580 4183a1c1c0a8075fdaf6a1aaa35bfacb.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3580 4183a1c1c0a8075fdaf6a1aaa35bfacb.exe 2076 4183a1c1c0a8075fdaf6a1aaa35bfacb.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3580 wrote to memory of 2076 3580 4183a1c1c0a8075fdaf6a1aaa35bfacb.exe 30 PID 3580 wrote to memory of 2076 3580 4183a1c1c0a8075fdaf6a1aaa35bfacb.exe 30 PID 3580 wrote to memory of 2076 3580 4183a1c1c0a8075fdaf6a1aaa35bfacb.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4183a1c1c0a8075fdaf6a1aaa35bfacb.exe"C:\Users\Admin\AppData\Local\Temp\4183a1c1c0a8075fdaf6a1aaa35bfacb.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\4183a1c1c0a8075fdaf6a1aaa35bfacb.exeC:\Users\Admin\AppData\Local\Temp\4183a1c1c0a8075fdaf6a1aaa35bfacb.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD547f468f887774f961dbd58edda42112c
SHA1a23f3be09c828ad53038dd5c7a40d481d124d0b6
SHA256af92218311c93b92a1c34fab3de17a009df034ac338d7df2f15779fe529e976d
SHA51237199fbb5eafbb116ba2ba397fd87e9b4f15449e3c285786d70103cc54b430ae79a74d8d87f97b5ea0c39a26654001a79dcf54581d0b82f30bef9b96b51a86d1