Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
05/01/2024, 01:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3f11b9808d5afbb903d86ba1cdcf22d1.exe
Resource
win7-20231129-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
3f11b9808d5afbb903d86ba1cdcf22d1.exe
Resource
win10v2004-20231215-en
6 signatures
150 seconds
General
-
Target
3f11b9808d5afbb903d86ba1cdcf22d1.exe
-
Size
907KB
-
MD5
3f11b9808d5afbb903d86ba1cdcf22d1
-
SHA1
c525dda1412ef0eef8c2202bbfef6002569c605e
-
SHA256
d3a50ea9a6d3227849b6f1e14565def2c0c275c12c81d3b693662f7844253686
-
SHA512
7ed3bb17300eb73f2a2fe5e673bc1c7ac302037bdf6f2da1415680514ee12b717248257f414d3a3dea85b71ef3b3ee9ea0a63d83b4a84f8e4fbe3f9c248a1a1c
-
SSDEEP
24576:3BiRBcDcHEstDOM3+yFQQh6aeSPBRSa/ZS1:3ByBcDckADOmhQGDSgS
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1620 3f11b9808d5afbb903d86ba1cdcf22d1.exe -
Executes dropped EXE 1 IoCs
pid Process 1620 3f11b9808d5afbb903d86ba1cdcf22d1.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 616 3f11b9808d5afbb903d86ba1cdcf22d1.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 616 3f11b9808d5afbb903d86ba1cdcf22d1.exe 1620 3f11b9808d5afbb903d86ba1cdcf22d1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 616 wrote to memory of 1620 616 3f11b9808d5afbb903d86ba1cdcf22d1.exe 22 PID 616 wrote to memory of 1620 616 3f11b9808d5afbb903d86ba1cdcf22d1.exe 22 PID 616 wrote to memory of 1620 616 3f11b9808d5afbb903d86ba1cdcf22d1.exe 22
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f11b9808d5afbb903d86ba1cdcf22d1.exe"C:\Users\Admin\AppData\Local\Temp\3f11b9808d5afbb903d86ba1cdcf22d1.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Users\Admin\AppData\Local\Temp\3f11b9808d5afbb903d86ba1cdcf22d1.exeC:\Users\Admin\AppData\Local\Temp\3f11b9808d5afbb903d86ba1cdcf22d1.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1620
-