Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2024, 16:55
Behavioral task
behavioral1
Sample
e59c10ac40ed4a3303ee92e1df7644d7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
e59c10ac40ed4a3303ee92e1df7644d7.exe
Resource
win10v2004-20231215-en
General
-
Target
e59c10ac40ed4a3303ee92e1df7644d7.exe
-
Size
29KB
-
MD5
e59c10ac40ed4a3303ee92e1df7644d7
-
SHA1
aa22bb25477048c28d281c7a88f930daef31af56
-
SHA256
875e70d75af9f9b9793f5750c1f72a567bf04f5f90d0b9181b22adee71b64765
-
SHA512
90811fccd5ba44643b988345ef29008c88a5ad7ce278a81aa8c66b5651e6b8370b741c4c884572abd06d1389adc1da0f51cc4d11cd98b836dfd50d5ea35237ed
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/p:AEwVs+0jNDY1qi/qR
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4984 services.exe -
resource yara_rule behavioral2/memory/4616-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/files/0x0007000000023214-4.dat upx behavioral2/memory/4984-7-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x0007000000023214-6.dat upx behavioral2/memory/4984-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4616-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4984-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4984-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4984-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4984-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4616-30-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4984-36-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4984-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4616-37-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4984-43-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x000700000002323b-51.dat upx behavioral2/memory/4616-95-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4984-96-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" e59c10ac40ed4a3303ee92e1df7644d7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe e59c10ac40ed4a3303ee92e1df7644d7.exe File opened for modification C:\Windows\java.exe e59c10ac40ed4a3303ee92e1df7644d7.exe File created C:\Windows\java.exe e59c10ac40ed4a3303ee92e1df7644d7.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4616 wrote to memory of 4984 4616 e59c10ac40ed4a3303ee92e1df7644d7.exe 21 PID 4616 wrote to memory of 4984 4616 e59c10ac40ed4a3303ee92e1df7644d7.exe 21 PID 4616 wrote to memory of 4984 4616 e59c10ac40ed4a3303ee92e1df7644d7.exe 21
Processes
-
C:\Users\Admin\AppData\Local\Temp\e59c10ac40ed4a3303ee92e1df7644d7.exe"C:\Users\Admin\AppData\Local\Temp\e59c10ac40ed4a3303ee92e1df7644d7.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
29KB
MD53a0fd552a586bc58f2967b0081a39144
SHA19bb03f884eae1de2030693eeb7399f3b4fecc1da
SHA256d1b85e6cd3b61f34d610a039fa763be887d06f9a9388fdfa8045b2e52613abc5
SHA51293a0bdb76897dada6409e0e7c87c630b58d07010f32d49e947d519e7c5049f78a2431bb6ea9d5e42fdd7c0584e500420a7870ae4c2155672daf8c6a7aa491c05
-
Filesize
320B
MD5f5d107e525d31efe9071fe1c92ae081a
SHA1b5e19c95fc820318eca8a82c4d6c8dc9087302ea
SHA256e65135e8660c703b500b6275c8bbb05d871cf912879ba0937473383403be34db
SHA512b6d2987539b5e22cff37be68bfa5fbe3633e46eb0ec61d1df6a512fb9c7f85be559d9bfdd19de3e1301e28a98fb9b57965b8b14c2eb3a94e1c84d9520dcc6cb2
-
Filesize
6KB
MD5de61db1a7c486fe8a01e05562655634d
SHA1e751f409cb4a60a34b3d9e03c645bf8bff320b13
SHA25666093fed46e4f4db2b892075fd4a0f6c06e4896d2ed69f3dad8bbb2bccc96aec
SHA5120bc14996c51ce06a14528676122f3c400d2b99ddbe7620bc8c1eae4aa8f66a90931ee48f63275d9bbce60c1cc177356e6c48305234ed0402cff8cd5ce50e9957
-
Filesize
6KB
MD5d073ee16ad5287b1f5f78edc643f267f
SHA1657a8cd4f4f1ea1a70ade9ff6ba8278e59fd181c
SHA25677beb05428a41ef827e77ee5af11dc7cbd62f53a4488db334b8794cd6b185edd
SHA51225099bfb961b885fcc0223e9a0c570feaadd3cda0f67a3733b0e63f3cc8e3f542185bb3a013cca6f438385e145e4771ee8a62d7c69e76509638a8835ea545481