Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2024, 03:10
Static task
static1
Behavioral task
behavioral1
Sample
4d2f403fe0f23a67cb1ae46a264f20ec.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4d2f403fe0f23a67cb1ae46a264f20ec.exe
Resource
win10v2004-20231215-en
General
-
Target
4d2f403fe0f23a67cb1ae46a264f20ec.exe
-
Size
43KB
-
MD5
4d2f403fe0f23a67cb1ae46a264f20ec
-
SHA1
637977adc22baf18cf47ff65e4d4d06c6d24e172
-
SHA256
4dbab4356827d58c1d7d7366128b06f4286905b45590b2ad3aaa55dfb3646745
-
SHA512
37660f842119d4dab563d677bb7468ab6bf88eb9a9159f66ce11210b42fd7d7165a2dc5e3fade03037eedf244389f8544b6fe6cafbb4a701f3e50c33c2a90774
-
SSDEEP
768:rQPnOX6XRd9PB71WC2pP4eMHA8gLa1hPsdWakcT8nqr3:rYzn9p5JUPcILaNy4n8
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run 4d2f403fe0f23a67cb1ae46a264f20ec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\ISHOST.EXE = "ISHOST.EXE" 4d2f403fe0f23a67cb1ae46a264f20ec.exe -
Executes dropped EXE 1 IoCs
pid Process 1336 ismini.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\ismini.exe 4d2f403fe0f23a67cb1ae46a264f20ec.exe File created C:\Windows\SysWOW64\components\flx0.dll 4d2f403fe0f23a67cb1ae46a264f20ec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1336 ismini.exe 1336 ismini.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1336 ismini.exe 1336 ismini.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1336 ismini.exe 1336 ismini.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1336 ismini.exe 1336 ismini.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1336 ismini.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1336 ismini.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1336 ismini.exe 1336 ismini.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1336 ismini.exe 1336 ismini.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1336 ismini.exe 1336 ismini.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1336 ismini.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1336 ismini.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1336 ismini.exe 1336 ismini.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1616 wrote to memory of 1336 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 90 PID 1616 wrote to memory of 1336 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 90 PID 1616 wrote to memory of 1336 1616 4d2f403fe0f23a67cb1ae46a264f20ec.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d2f403fe0f23a67cb1ae46a264f20ec.exe"C:\Users\Admin\AppData\Local\Temp\4d2f403fe0f23a67cb1ae46a264f20ec.exe"1⤵
- Adds policy Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\ismini.exeC:\Windows\system32\ismini.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1336
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD507826a10cf25d3766950b24901264b6c
SHA1bfa3eed48203bbcc7d9183f96818cf048e78e2df
SHA256427b8a0b66fc8cc8fba65743195cd228b9455db3b4ff06b84c7a51b225d48872
SHA512c12a1c0aa2465d5e92829e053f7ea96c256ce5c9cc7ad71334e1f568916843f503efccf7d7b26873c969fda1181db2828a36d36792a9e9d6d03702c14e9c8169