Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
2s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
12/01/2024, 05:37
Behavioral task
behavioral1
Sample
55a2b427564b1336a6b0045f3f057f5f.exe
Resource
win7-20231215-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
55a2b427564b1336a6b0045f3f057f5f.exe
Resource
win10v2004-20231222-en
7 signatures
150 seconds
General
-
Target
55a2b427564b1336a6b0045f3f057f5f.exe
-
Size
133KB
-
MD5
55a2b427564b1336a6b0045f3f057f5f
-
SHA1
15c5f2b185e94a0257e5f99ef6885aad329858bf
-
SHA256
8835997b22588e85d432a8cc2ebcbad6e087a20bae408a19b69b725ac9711d61
-
SHA512
2995c6ea3fc5a253950c5e5e74bcd0e85ebef60b4a2a35537f64aeb9dd73553817c8c1253d7b78c2aa14ac51b52e9fd061d94732c733f7f02444cdbd8088a8bb
-
SSDEEP
3072:eX89Cuh53J6xrxzKZRlhK8SXKc8smcO28Z+jhjzQ:W895a5q7sX8sm5+jhvQ
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2496 55a2b427564b1336a6b0045f3f057f5f.exe -
Executes dropped EXE 1 IoCs
pid Process 2496 55a2b427564b1336a6b0045f3f057f5f.exe -
resource yara_rule behavioral2/memory/2008-0-0x0000000000400000-0x0000000000486000-memory.dmp upx behavioral2/memory/2496-14-0x0000000000400000-0x0000000000486000-memory.dmp upx -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 55a2b427564b1336a6b0045f3f057f5f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 55a2b427564b1336a6b0045f3f057f5f.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2008 55a2b427564b1336a6b0045f3f057f5f.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2008 55a2b427564b1336a6b0045f3f057f5f.exe 2496 55a2b427564b1336a6b0045f3f057f5f.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2496 2008 55a2b427564b1336a6b0045f3f057f5f.exe 19 PID 2008 wrote to memory of 2496 2008 55a2b427564b1336a6b0045f3f057f5f.exe 19 PID 2008 wrote to memory of 2496 2008 55a2b427564b1336a6b0045f3f057f5f.exe 19
Processes
-
C:\Users\Admin\AppData\Local\Temp\55a2b427564b1336a6b0045f3f057f5f.exeC:\Users\Admin\AppData\Local\Temp\55a2b427564b1336a6b0045f3f057f5f.exe1⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2496
-
C:\Users\Admin\AppData\Local\Temp\55a2b427564b1336a6b0045f3f057f5f.exe"C:\Users\Admin\AppData\Local\Temp\55a2b427564b1336a6b0045f3f057f5f.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2008
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵PID:908
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:5064