Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
160s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2024, 16:36
Behavioral task
behavioral1
Sample
4bed362ca73c31972f31525c6a26a821.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4bed362ca73c31972f31525c6a26a821.exe
Resource
win10v2004-20231215-en
General
-
Target
4bed362ca73c31972f31525c6a26a821.exe
-
Size
14KB
-
MD5
4bed362ca73c31972f31525c6a26a821
-
SHA1
05ab81f4d826286c21adeb3159fe28eea130119b
-
SHA256
c8db874f0f3c3e1765c13a118cc151221173cc721530ef84839ed2fcdaac1f0a
-
SHA512
3f915faa00523affc644ab9c91fc32c2ddc4686d28cc01345f06b907ab0c82939515a141c73b40fea560c834106005ed395199303a0dbf59300eeedf3be00e9e
-
SSDEEP
384:nnE+BJZLti8TwAM9FrbQ4Y06bkJUVcgnUsDmnB2n4:nEGZBjwAMPA4Y06cgUsQQn
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 3208 lenschk.exe -
resource yara_rule behavioral2/memory/2020-0-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/files/0x000b00000002300a-4.dat upx behavioral2/memory/2020-6-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/3208-7-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\lensch.dll 4bed362ca73c31972f31525c6a26a821.exe File created C:\Windows\SysWOW64\lenschk.exe 4bed362ca73c31972f31525c6a26a821.exe File opened for modification C:\Windows\SysWOW64\lenschk.exe 4bed362ca73c31972f31525c6a26a821.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2020 wrote to memory of 3208 2020 4bed362ca73c31972f31525c6a26a821.exe 91 PID 2020 wrote to memory of 3208 2020 4bed362ca73c31972f31525c6a26a821.exe 91 PID 2020 wrote to memory of 3208 2020 4bed362ca73c31972f31525c6a26a821.exe 91 PID 2020 wrote to memory of 3548 2020 4bed362ca73c31972f31525c6a26a821.exe 96 PID 2020 wrote to memory of 3548 2020 4bed362ca73c31972f31525c6a26a821.exe 96 PID 2020 wrote to memory of 3548 2020 4bed362ca73c31972f31525c6a26a821.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bed362ca73c31972f31525c6a26a821.exe"C:\Users\Admin\AppData\Local\Temp\4bed362ca73c31972f31525c6a26a821.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\lenschk.exeC:\Windows\system32\lenschk.exe ˜‰2⤵
- Executes dropped EXE
PID:3208
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\4bed362ca73c31972f31525c6a26a821.exe.bat2⤵PID:3548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD5c5d75d9565272cf9f3667050b5e9e006
SHA1db00b197718a434d7cd4e24d1a5bf4847766d909
SHA256c52eb5f29a0b37b8ee911f33dfafa21478db5a9d3a2eeb569a0255d261d49567
SHA512390124af24d751cb20a18879cce54e18fdcc5bc12cbed6b7b924e5658d7e8033edbb17d4f5b5727c4d18629310f0cf81a7535a25f938135ba83656f216ad98b7
-
Filesize
14KB
MD54bed362ca73c31972f31525c6a26a821
SHA105ab81f4d826286c21adeb3159fe28eea130119b
SHA256c8db874f0f3c3e1765c13a118cc151221173cc721530ef84839ed2fcdaac1f0a
SHA5123f915faa00523affc644ab9c91fc32c2ddc4686d28cc01345f06b907ab0c82939515a141c73b40fea560c834106005ed395199303a0dbf59300eeedf3be00e9e