Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
88s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 02:18
Static task
static1
Behavioral task
behavioral1
Sample
6439825726ab2c6d37be560ab2372ed8.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
6439825726ab2c6d37be560ab2372ed8.exe
Resource
win10v2004-20231215-en
General
-
Target
6439825726ab2c6d37be560ab2372ed8.exe
-
Size
771KB
-
MD5
6439825726ab2c6d37be560ab2372ed8
-
SHA1
b3332fe2470d74342fe8fa32b874b49c6ae918ca
-
SHA256
a60b310bb5e53515c319e765ce0f04f83b16703f7910c44228eda35741ab0b86
-
SHA512
90d2cb965b9cce40086be969685dfd81baf9beac1743dc1c519c5f60b141d88367726663bff563613a6906d2d5dada130c7cddb2da0a58a288bd920c5d18353c
-
SSDEEP
12288:Hx2X1IVs7a11XAcnl3zcv51LBg3PzJLniYZ/C9OFEIif0F6rerfrEhU8zFVMB:HoCVsaXlDcvfBg3tvZWqEIz6qrfiTMB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3088 6439825726ab2c6d37be560ab2372ed8.exe -
Executes dropped EXE 1 IoCs
pid Process 3088 6439825726ab2c6d37be560ab2372ed8.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 740 6439825726ab2c6d37be560ab2372ed8.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 740 6439825726ab2c6d37be560ab2372ed8.exe 3088 6439825726ab2c6d37be560ab2372ed8.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 740 wrote to memory of 3088 740 6439825726ab2c6d37be560ab2372ed8.exe 25 PID 740 wrote to memory of 3088 740 6439825726ab2c6d37be560ab2372ed8.exe 25 PID 740 wrote to memory of 3088 740 6439825726ab2c6d37be560ab2372ed8.exe 25
Processes
-
C:\Users\Admin\AppData\Local\Temp\6439825726ab2c6d37be560ab2372ed8.exe"C:\Users\Admin\AppData\Local\Temp\6439825726ab2c6d37be560ab2372ed8.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\6439825726ab2c6d37be560ab2372ed8.exeC:\Users\Admin\AppData\Local\Temp\6439825726ab2c6d37be560ab2372ed8.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163KB
MD59771aa9bb44644cbf084989060cea6ff
SHA186c5bcf467da6b058c7ee7602c35656e9cd22944
SHA2565163118b3be0f9fe9477d7a620f5918d755d5de1b37a67297be4261938844075
SHA512c2695555fac5ea1efef171c60bdb1d32fc397707e077d464f422e0bb799bdaa18527c0bc9a12b4da8793dab49469b3540d56d88e37f255a17d185c02e8513fec