Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2024, 13:50
Static task
static1
Behavioral task
behavioral1
Sample
4b9bcb26419254f35044cbea21618e0d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4b9bcb26419254f35044cbea21618e0d.exe
Resource
win10v2004-20231215-en
General
-
Target
4b9bcb26419254f35044cbea21618e0d.exe
-
Size
771KB
-
MD5
4b9bcb26419254f35044cbea21618e0d
-
SHA1
16997d02ae9108d53285a4a259083a4be070f0b5
-
SHA256
d74be9ce4413f926d71b202f523cc065403f7b579a3684edf058fdd6826861dd
-
SHA512
24036d520adc9ed6a018e03636e60f531e5f1d09198d242260c0e3c71fcff0a6611aa545be661611f06330f25afd1302f0af8a86b219a6833376acb6cc82193a
-
SSDEEP
12288:T0nJwvrGpXd2gaxFsaw5GdhjJ8BxW/F0FqV5MyueU6SQL/TgSE1+aUUs8Ghc4cV5:T0nJLBd2gmVdhj2BZpReUx81xcMWB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3040 4b9bcb26419254f35044cbea21618e0d.exe -
Executes dropped EXE 1 IoCs
pid Process 3040 4b9bcb26419254f35044cbea21618e0d.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1008 4b9bcb26419254f35044cbea21618e0d.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1008 4b9bcb26419254f35044cbea21618e0d.exe 3040 4b9bcb26419254f35044cbea21618e0d.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1008 wrote to memory of 3040 1008 4b9bcb26419254f35044cbea21618e0d.exe 15 PID 1008 wrote to memory of 3040 1008 4b9bcb26419254f35044cbea21618e0d.exe 15 PID 1008 wrote to memory of 3040 1008 4b9bcb26419254f35044cbea21618e0d.exe 15
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b9bcb26419254f35044cbea21618e0d.exe"C:\Users\Admin\AppData\Local\Temp\4b9bcb26419254f35044cbea21618e0d.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\4b9bcb26419254f35044cbea21618e0d.exeC:\Users\Admin\AppData\Local\Temp\4b9bcb26419254f35044cbea21618e0d.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD52865aa14fcfec814e0beb9715d54b974
SHA154e3521cf27adf8d9f7053b5ac21f5ae3e7c2287
SHA25611d7c0d666556a02f733853fcf11242c7155acd0755e39ea669991d07d4aa27c
SHA512c22178be2e02f95d0ddb76f611d977ea704326d151c0575cba2289c49ce142e54edf79a34c7533143a9d1bcfaf173520b19a184f7852f28247908ff78f83c341