Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2024, 00:14
Static task
static1
Behavioral task
behavioral1
Sample
5ba04342255e3c284557cd85b8abe7aa.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5ba04342255e3c284557cd85b8abe7aa.exe
Resource
win10v2004-20231222-en
General
-
Target
5ba04342255e3c284557cd85b8abe7aa.exe
-
Size
385KB
-
MD5
5ba04342255e3c284557cd85b8abe7aa
-
SHA1
369503f017ea1ebad896219dee0715fa1b2182d7
-
SHA256
6fcca98b1f37ebd2a05204d8549185b5ac3d1ec8059210f86251c1ce752384e3
-
SHA512
c908a61a8dcdd34b19c348e1ef593757a24144af37f7df9ec015d9f9d55e006c8b9f067373967937cc49e66ebb66a8ce13092ca0711f0abf86c164b4050b4ebf
-
SSDEEP
6144:V9xYXUQ8RDpsbdohRcIHrPQ9WJaVLh7BJoV/RMI6ipj90k6TTLx7ZqB:rEUQosbShbPQsJaVLhz7epy/TJwB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3332 5ba04342255e3c284557cd85b8abe7aa.exe -
Executes dropped EXE 1 IoCs
pid Process 3332 5ba04342255e3c284557cd85b8abe7aa.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4952 5ba04342255e3c284557cd85b8abe7aa.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 2152 svchost.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4952 5ba04342255e3c284557cd85b8abe7aa.exe 3332 5ba04342255e3c284557cd85b8abe7aa.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4952 wrote to memory of 3332 4952 5ba04342255e3c284557cd85b8abe7aa.exe 90 PID 4952 wrote to memory of 3332 4952 5ba04342255e3c284557cd85b8abe7aa.exe 90 PID 4952 wrote to memory of 3332 4952 5ba04342255e3c284557cd85b8abe7aa.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ba04342255e3c284557cd85b8abe7aa.exe"C:\Users\Admin\AppData\Local\Temp\5ba04342255e3c284557cd85b8abe7aa.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\5ba04342255e3c284557cd85b8abe7aa.exeC:\Users\Admin\AppData\Local\Temp\5ba04342255e3c284557cd85b8abe7aa.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3332
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3336
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD5b6e8ddd9a9fab3ddcfd21104b7dc57b8
SHA1bfbbee7a71f50b0aceb95a424ebc6742dd10f2a8
SHA25616f9f7e8517788c24127f282ec895604258878dd46fe2acfdce049ee2c23ecc6
SHA512bcd44d60c8851bc98e179d0049198663f2343f3a3faedd8ef01885b15172fced070ecc5b4669199ff1677f373bd08fcd14915029b1d637168a8bb6587ba126b4