Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2024, 05:12
Static task
static1
Behavioral task
behavioral1
Sample
5811412a8cf5b213a4c145ba4f772f12.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5811412a8cf5b213a4c145ba4f772f12.exe
Resource
win10v2004-20231215-en
General
-
Target
5811412a8cf5b213a4c145ba4f772f12.exe
-
Size
506KB
-
MD5
5811412a8cf5b213a4c145ba4f772f12
-
SHA1
f3744207e2263573bffb42afac47236339b5afaa
-
SHA256
ae86d7d7151eef17c2bbbdda74ce298362eb874344fdc41a6c542d72f2b0a31b
-
SHA512
0e833c0c5842e4f86793b1f7aa4d952b20b557c6358fc6f679a9206b59e8dc8971d5813f77477f04dc11c9f60091e90897cb4c32c2cc9aef9e1bb27a6648bda4
-
SSDEEP
12288:QhroMQHJ+srmfVjkkEBAvpbeEkHNUBBPUJRX07NZtnr:gQMmmtjzvAEsNUBBpNZtnr
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4544 5811412a8cf5b213a4c145ba4f772f12.exe -
Executes dropped EXE 1 IoCs
pid Process 4544 5811412a8cf5b213a4c145ba4f772f12.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4544 5811412a8cf5b213a4c145ba4f772f12.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1364 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4544 5811412a8cf5b213a4c145ba4f772f12.exe 4544 5811412a8cf5b213a4c145ba4f772f12.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1720 5811412a8cf5b213a4c145ba4f772f12.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1720 5811412a8cf5b213a4c145ba4f772f12.exe 4544 5811412a8cf5b213a4c145ba4f772f12.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1720 wrote to memory of 4544 1720 5811412a8cf5b213a4c145ba4f772f12.exe 92 PID 1720 wrote to memory of 4544 1720 5811412a8cf5b213a4c145ba4f772f12.exe 92 PID 1720 wrote to memory of 4544 1720 5811412a8cf5b213a4c145ba4f772f12.exe 92 PID 4544 wrote to memory of 1364 4544 5811412a8cf5b213a4c145ba4f772f12.exe 94 PID 4544 wrote to memory of 1364 4544 5811412a8cf5b213a4c145ba4f772f12.exe 94 PID 4544 wrote to memory of 1364 4544 5811412a8cf5b213a4c145ba4f772f12.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\5811412a8cf5b213a4c145ba4f772f12.exe"C:\Users\Admin\AppData\Local\Temp\5811412a8cf5b213a4c145ba4f772f12.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\5811412a8cf5b213a4c145ba4f772f12.exeC:\Users\Admin\AppData\Local\Temp\5811412a8cf5b213a4c145ba4f772f12.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\5811412a8cf5b213a4c145ba4f772f12.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:1364
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
506KB
MD5647219b41379912e1798a040fd819b7a
SHA11cd985410599bfe8dd3d804664e23c0d67312faf
SHA256b7a07b3b4d6eb341ed7913ca81763efbdb4e868f6a8043b881005876a13aad11
SHA51276d7915b70b9b5f291cae29ea413ceb3a2d9e751d0aa32b96bf294e7e51eb41a9fd258e1f8668755057388a06e6669e27274856f2971b7ab861aa47f6f2fa009