Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2024, 07:39
Static task
static1
Behavioral task
behavioral1
Sample
585b68d46fca69811dca6a097a7023d4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
585b68d46fca69811dca6a097a7023d4.exe
Resource
win10v2004-20231215-en
General
-
Target
585b68d46fca69811dca6a097a7023d4.exe
-
Size
506KB
-
MD5
585b68d46fca69811dca6a097a7023d4
-
SHA1
106bd1bebd91720561927d373ea995d34c879246
-
SHA256
d6a753cb80ddd6794b952e39fc9b41910be404e3825400289bd27d97ec22f997
-
SHA512
77a94fdf8362e1fd3e7ad9c9bdc710e814c6ec461bab10c198911ca85587e35fe3d1dc791b65d631c142e088b756b44c276479a48baa9586ca2bdb76f192493b
-
SSDEEP
12288:e+XvhuKn6CAMAf721V3gbmckA6KTMFkwh8xVh2o63o1U:etLkOmzW6kB6P
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3112 585b68d46fca69811dca6a097a7023d4.exe -
Executes dropped EXE 1 IoCs
pid Process 3112 585b68d46fca69811dca6a097a7023d4.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3112 585b68d46fca69811dca6a097a7023d4.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4976 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3112 585b68d46fca69811dca6a097a7023d4.exe 3112 585b68d46fca69811dca6a097a7023d4.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4964 585b68d46fca69811dca6a097a7023d4.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4964 585b68d46fca69811dca6a097a7023d4.exe 3112 585b68d46fca69811dca6a097a7023d4.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4964 wrote to memory of 3112 4964 585b68d46fca69811dca6a097a7023d4.exe 88 PID 4964 wrote to memory of 3112 4964 585b68d46fca69811dca6a097a7023d4.exe 88 PID 4964 wrote to memory of 3112 4964 585b68d46fca69811dca6a097a7023d4.exe 88 PID 3112 wrote to memory of 4976 3112 585b68d46fca69811dca6a097a7023d4.exe 92 PID 3112 wrote to memory of 4976 3112 585b68d46fca69811dca6a097a7023d4.exe 92 PID 3112 wrote to memory of 4976 3112 585b68d46fca69811dca6a097a7023d4.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\585b68d46fca69811dca6a097a7023d4.exe"C:\Users\Admin\AppData\Local\Temp\585b68d46fca69811dca6a097a7023d4.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\585b68d46fca69811dca6a097a7023d4.exeC:\Users\Admin\AppData\Local\Temp\585b68d46fca69811dca6a097a7023d4.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\585b68d46fca69811dca6a097a7023d4.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:4976
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
506KB
MD593b97be36bb7dadd4802036024ddee5e
SHA1e5ad5798dcfdaa400ebce51d0bc383e918048ebf
SHA256d4f1156656c0be15bbe2d8ee45bdfea5ca5e476046a8fe1acf6f288b2ab94044
SHA5122dd90188bb07c5886f430a8e0d129a1dc1a8d166b4d0c638db1966ebb17a417815f79524856b2e169f89a6817b045320fec7d8d71b5c08f4c303f7dbc2457286