Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2024, 17:02
Static task
static1
Behavioral task
behavioral1
Sample
6fd59ffcc1785753a27653cf65764fed.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6fd59ffcc1785753a27653cf65764fed.exe
Resource
win10v2004-20231215-en
General
-
Target
6fd59ffcc1785753a27653cf65764fed.exe
-
Size
385KB
-
MD5
6fd59ffcc1785753a27653cf65764fed
-
SHA1
b1ab0cb82d54d5c5b778eaec2ca7671591de630d
-
SHA256
de975905bf71ad9298dd1b651e66e44ad866903bfd3e439182ffd8578ba0b71d
-
SHA512
4e57785514834d2d362d21826b6361add162057c92b310f471430fa9f71a604dc92dfb70a9abf5f9018bf48e87cfc149b6edd253e31a12972db4327f0ea6c893
-
SSDEEP
6144:Sjb3EsL5CrSy8of9ksT4fsMW3mRK5szmotKHXX77D1w/FXBxpWV8G/LHSG3RzDhE:SnmnHXjD10JBxtGTHR50efEmvN2NcMB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4680 6fd59ffcc1785753a27653cf65764fed.exe -
Executes dropped EXE 1 IoCs
pid Process 4680 6fd59ffcc1785753a27653cf65764fed.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4868 6fd59ffcc1785753a27653cf65764fed.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4868 6fd59ffcc1785753a27653cf65764fed.exe 4680 6fd59ffcc1785753a27653cf65764fed.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4868 wrote to memory of 4680 4868 6fd59ffcc1785753a27653cf65764fed.exe 86 PID 4868 wrote to memory of 4680 4868 6fd59ffcc1785753a27653cf65764fed.exe 86 PID 4868 wrote to memory of 4680 4868 6fd59ffcc1785753a27653cf65764fed.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fd59ffcc1785753a27653cf65764fed.exe"C:\Users\Admin\AppData\Local\Temp\6fd59ffcc1785753a27653cf65764fed.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\6fd59ffcc1785753a27653cf65764fed.exeC:\Users\Admin\AppData\Local\Temp\6fd59ffcc1785753a27653cf65764fed.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD5776cdfd486aa595698f6f00094ddb5b0
SHA1953e2d393d9969fd08b17815b0dbaf41b77cf464
SHA256b247b2151ca6cebda9dc9a9b77d7f11521914dac09a784936eed953d4a6560ad
SHA5124a304d2430b8ffbc52dc5ffc15fe0291a1b292ef484bd081fe451e3b7e1fbee6e93074d66392a678c3472f7ebfea4214b0a0fcea4e9b5fdc0dc053a557f306d5