Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2024, 10:42
Static task
static1
Behavioral task
behavioral1
Sample
4b387ae9bf23015f02e6912545daed19.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4b387ae9bf23015f02e6912545daed19.exe
Resource
win10v2004-20231215-en
General
-
Target
4b387ae9bf23015f02e6912545daed19.exe
-
Size
385KB
-
MD5
4b387ae9bf23015f02e6912545daed19
-
SHA1
dea98393b6ae92a7155433c6155f9eaf578e9197
-
SHA256
03a0091fa09d38ff01286abc3c920c62cd0c7a57a7d2b338e221d8f259fc28ce
-
SHA512
e9fec24808c756f800c10df92c0e2b23975ae878833194fb5061cd73f413860704ed33e48c5403df7425a3ec3e3bc5fb8d738f503f324e86fda52da14220400f
-
SSDEEP
12288:gbb6F/1iDIbIUHblc9VKrZM0mBJwgYwRn24HB:AbQ8IhJYV3vkgH2AB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3060 4b387ae9bf23015f02e6912545daed19.exe -
Executes dropped EXE 1 IoCs
pid Process 3060 4b387ae9bf23015f02e6912545daed19.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1872 4b387ae9bf23015f02e6912545daed19.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1872 4b387ae9bf23015f02e6912545daed19.exe 3060 4b387ae9bf23015f02e6912545daed19.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1872 wrote to memory of 3060 1872 4b387ae9bf23015f02e6912545daed19.exe 89 PID 1872 wrote to memory of 3060 1872 4b387ae9bf23015f02e6912545daed19.exe 89 PID 1872 wrote to memory of 3060 1872 4b387ae9bf23015f02e6912545daed19.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b387ae9bf23015f02e6912545daed19.exe"C:\Users\Admin\AppData\Local\Temp\4b387ae9bf23015f02e6912545daed19.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\4b387ae9bf23015f02e6912545daed19.exeC:\Users\Admin\AppData\Local\Temp\4b387ae9bf23015f02e6912545daed19.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3060
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340KB
MD5a76feffc3c826100051464e87f0d278c
SHA10dfe0b6c9b65ab7ddca777e51422704d41034d32
SHA25638aa7005071af2df5164e886f4760b6cc4f17e0dd7eab6a9d7b781f6d95f83a2
SHA5126c83451f05777efae869bdb1cbc024e391279d72f29c6746b98d1d66770dfa518f2d0a272d241d6b13c31725e9f77091b49107271504b1fc99a69a3d9128695d