Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2024, 04:46
Static task
static1
Behavioral task
behavioral1
Sample
4a796a6de8f51feb63ce21c659030e8b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4a796a6de8f51feb63ce21c659030e8b.exe
Resource
win10v2004-20231215-en
General
-
Target
4a796a6de8f51feb63ce21c659030e8b.exe
-
Size
907KB
-
MD5
4a796a6de8f51feb63ce21c659030e8b
-
SHA1
18ec95dddfb29f25c280607fdc1f7f4a39e22f54
-
SHA256
837a2fd2b50cbc54674f6e6f7cda3b55f2a4f98543d21e8dc8838a0427459ee7
-
SHA512
4e3cecaea243e55d9b9a5f183e9ea21b0e181fbc97d9adc39b3ecbb76f922a303dd73ab01f08049a82f85c0eb5ad0423866cb50d7400e7d4b84178555d662895
-
SSDEEP
24576:0fh7wiCOaj/qUkoxyASvezeZUJ3SJkieSFpZAX+u46a/ZS1:eRkqmfSveyceFpZAX+uPgS
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4464 4a796a6de8f51feb63ce21c659030e8b.exe -
Executes dropped EXE 1 IoCs
pid Process 4464 4a796a6de8f51feb63ce21c659030e8b.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3856 4a796a6de8f51feb63ce21c659030e8b.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3856 4a796a6de8f51feb63ce21c659030e8b.exe 4464 4a796a6de8f51feb63ce21c659030e8b.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3856 wrote to memory of 4464 3856 4a796a6de8f51feb63ce21c659030e8b.exe 90 PID 3856 wrote to memory of 4464 3856 4a796a6de8f51feb63ce21c659030e8b.exe 90 PID 3856 wrote to memory of 4464 3856 4a796a6de8f51feb63ce21c659030e8b.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a796a6de8f51feb63ce21c659030e8b.exe"C:\Users\Admin\AppData\Local\Temp\4a796a6de8f51feb63ce21c659030e8b.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\4a796a6de8f51feb63ce21c659030e8b.exeC:\Users\Admin\AppData\Local\Temp\4a796a6de8f51feb63ce21c659030e8b.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
829KB
MD57ddd89db08e02e9ef87975fd779d8674
SHA1eadb3ddc00d4ac32231fb57475c0ccd931453f3e
SHA256c3da690953a7b31eda9f912b5b010491c8556fb1fdd28202723ca18b27fb57b7
SHA512c1f0da4453e7de60f50d07a5f1a4671365f221064b388bed4d6416ef8a48fa1edb346309098aac3a2c688740ed55129fee5a944334f9e57823273a2e97ad2fba