Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2024, 19:19
Static task
static1
Behavioral task
behavioral1
Sample
782d987c6e225646f7cabc9d890552da.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
782d987c6e225646f7cabc9d890552da.exe
Resource
win10v2004-20231215-en
General
-
Target
782d987c6e225646f7cabc9d890552da.exe
-
Size
1000KB
-
MD5
782d987c6e225646f7cabc9d890552da
-
SHA1
6c87008814ee5817906fe1896feac151ce7ebc8e
-
SHA256
caa4426a9c16776705a00c166fcbfb6edab7042e0210816debe4160b0e6f5161
-
SHA512
e77616f74d9967481646272fbda052e7f9e2172b651bf33ab4afea5c766314cdde70478fa526b81eea52d92eacd3acaf449a09084713a7bfd8cb78b6192a552c
-
SSDEEP
24576:1BINLmjbpzB4FMl5jaWn8T1B+5vMiqt0gj2ed:1SQP1CqOL
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4024 782d987c6e225646f7cabc9d890552da.exe -
Executes dropped EXE 1 IoCs
pid Process 4024 782d987c6e225646f7cabc9d890552da.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 16 pastebin.com 14 pastebin.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4024 782d987c6e225646f7cabc9d890552da.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3180 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4024 782d987c6e225646f7cabc9d890552da.exe 4024 782d987c6e225646f7cabc9d890552da.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 564 782d987c6e225646f7cabc9d890552da.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 564 782d987c6e225646f7cabc9d890552da.exe 4024 782d987c6e225646f7cabc9d890552da.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 564 wrote to memory of 4024 564 782d987c6e225646f7cabc9d890552da.exe 87 PID 564 wrote to memory of 4024 564 782d987c6e225646f7cabc9d890552da.exe 87 PID 564 wrote to memory of 4024 564 782d987c6e225646f7cabc9d890552da.exe 87 PID 4024 wrote to memory of 3180 4024 782d987c6e225646f7cabc9d890552da.exe 89 PID 4024 wrote to memory of 3180 4024 782d987c6e225646f7cabc9d890552da.exe 89 PID 4024 wrote to memory of 3180 4024 782d987c6e225646f7cabc9d890552da.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\782d987c6e225646f7cabc9d890552da.exe"C:\Users\Admin\AppData\Local\Temp\782d987c6e225646f7cabc9d890552da.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Users\Admin\AppData\Local\Temp\782d987c6e225646f7cabc9d890552da.exeC:\Users\Admin\AppData\Local\Temp\782d987c6e225646f7cabc9d890552da.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\782d987c6e225646f7cabc9d890552da.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:3180
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1000KB
MD587b747d20d0089e69d628b3ea00818c9
SHA11a3cfc13a9122772d58912e4fdc6d3cf2d1fcd4d
SHA2568fd9fd453f55e3c1984be1a2dad12e068cf35be8970660e7f9861c975a6b2315
SHA5126100eb8d1676df3e7e64a9dbc4270ee334772347830cbaf79120731c50bc88c1c2bb0e2f0d01202e84d7cc7d5d1aeb3cefefa3bffe12a63928d5ba8496e8ebed