Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2024, 07:56
Behavioral task
behavioral1
Sample
5001f3bd0c261eb6935e95faa7f9cbfa.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5001f3bd0c261eb6935e95faa7f9cbfa.exe
Resource
win10v2004-20231215-en
General
-
Target
5001f3bd0c261eb6935e95faa7f9cbfa.exe
-
Size
2.7MB
-
MD5
5001f3bd0c261eb6935e95faa7f9cbfa
-
SHA1
80f75f0c460d84707d160a6e36960f83366b757b
-
SHA256
374f5dc5f004869401e7eca5c00a584da4184e7a59a06cbefb4174efecb4f8ac
-
SHA512
9fa9590abf50fa1c5ab14dc9e9733aa8d14d4b20eb0fd577cd3686dcae1d60a95914f6924eda13e8dc1ec28d17bd1d5f07fc1bd600122a5588366d2077aff4b1
-
SSDEEP
49152:KkkpKsRF6uVkkOAUnVQYc9MCMdzF0cIkflaMdVfmxNZxqPozneYg:svRp2hvnVvc9MCMdBVzfmxNqAzn
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2612 5001f3bd0c261eb6935e95faa7f9cbfa.exe -
Executes dropped EXE 1 IoCs
pid Process 2612 5001f3bd0c261eb6935e95faa7f9cbfa.exe -
resource yara_rule behavioral2/memory/2672-0-0x0000000000400000-0x000000000086A000-memory.dmp upx behavioral2/files/0x0009000000022480-13.dat upx behavioral2/memory/2612-15-0x0000000000400000-0x000000000086A000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2672 5001f3bd0c261eb6935e95faa7f9cbfa.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2672 5001f3bd0c261eb6935e95faa7f9cbfa.exe 2612 5001f3bd0c261eb6935e95faa7f9cbfa.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2612 2672 5001f3bd0c261eb6935e95faa7f9cbfa.exe 91 PID 2672 wrote to memory of 2612 2672 5001f3bd0c261eb6935e95faa7f9cbfa.exe 91 PID 2672 wrote to memory of 2612 2672 5001f3bd0c261eb6935e95faa7f9cbfa.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\5001f3bd0c261eb6935e95faa7f9cbfa.exe"C:\Users\Admin\AppData\Local\Temp\5001f3bd0c261eb6935e95faa7f9cbfa.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\5001f3bd0c261eb6935e95faa7f9cbfa.exeC:\Users\Admin\AppData\Local\Temp\5001f3bd0c261eb6935e95faa7f9cbfa.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2612
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5dbb66112428aa73523a4b460ea0ef15d
SHA1a3fb1790702d1b804717b48bd69a9dcb040af8aa
SHA256716ca9c6c9e81815b6c08c89bc527f6a4f7adc4ca57b39cee24931e2982a461c
SHA5127e5192a463f54feb66f63fce779ae2cb0f11e0fdf4a92d7b25285b8a70e6a27de7e2fdc51d92e29a4c2e43a7da9c6e536abafdd3a15385983dcaefe5f0a94a7d