Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
66229822c751683645b7ecc5cd284f6a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
66229822c751683645b7ecc5cd284f6a.exe
Resource
win10v2004-20231215-en
General
-
Target
66229822c751683645b7ecc5cd284f6a.exe
-
Size
385KB
-
MD5
66229822c751683645b7ecc5cd284f6a
-
SHA1
863137ebdc5e25b715cd189ec22cd2a22c4376c0
-
SHA256
7bf888baeda0aee2fef18710cb42bacd7a9d9108c7aeb8cb90d1c9bb4884dbf2
-
SHA512
bd4af44fcedf9007faec4ec463160829a09f09f3209fc30acd59c8f5f7fee6087cdbd1d64ccdb872f4fcad04535ab2b651aa710b2e27ff54fa9bddf346ccb409
-
SSDEEP
6144:7C448c6W1+A0L4C3U6S8Y5C6Evz9KR9Q48azBdaxkrt7u1xcJ8TUU2+B:E8c6LAEZvYhEC8QB0artKf+84l+B
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4116 66229822c751683645b7ecc5cd284f6a.exe -
Executes dropped EXE 1 IoCs
pid Process 4116 66229822c751683645b7ecc5cd284f6a.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4812 66229822c751683645b7ecc5cd284f6a.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4812 66229822c751683645b7ecc5cd284f6a.exe 4116 66229822c751683645b7ecc5cd284f6a.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4812 wrote to memory of 4116 4812 66229822c751683645b7ecc5cd284f6a.exe 88 PID 4812 wrote to memory of 4116 4812 66229822c751683645b7ecc5cd284f6a.exe 88 PID 4812 wrote to memory of 4116 4812 66229822c751683645b7ecc5cd284f6a.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\66229822c751683645b7ecc5cd284f6a.exe"C:\Users\Admin\AppData\Local\Temp\66229822c751683645b7ecc5cd284f6a.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\66229822c751683645b7ecc5cd284f6a.exeC:\Users\Admin\AppData\Local\Temp\66229822c751683645b7ecc5cd284f6a.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4116
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD5b9cb9f465f6e64f962f59efb47344165
SHA136ece3c69ca6c513b7073757eef02bb0e0c67565
SHA256dc712c16eb103cdc38eecaad3161e3fb90d4e69477605b49cabbfee97b8c9320
SHA5122382232efbd420c3c0bc1605d8bbc5aea8d8715adc41a2ca7ccbb42a2841848c137589cec3f382fd8611a2d5c4d4630edf4ca85297d922ca897b584cd15f0261