Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
88s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2024, 08:15
Static task
static1
Behavioral task
behavioral1
Sample
79bac15fd0cb98600ca831073ec46437.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
79bac15fd0cb98600ca831073ec46437.exe
Resource
win10v2004-20231215-en
General
-
Target
79bac15fd0cb98600ca831073ec46437.exe
-
Size
771KB
-
MD5
79bac15fd0cb98600ca831073ec46437
-
SHA1
7931ce5bc05402e49f9225284490f56fe6f1175e
-
SHA256
5e6bc3a9d8c7f96fd8d2fa73726d9f6d0a39141d7a3398977c40cb58081f91c2
-
SHA512
8176e7fee10f20fcf2a646275a4b6cb673cf71ccc47dee2b43faafa34adbe71ddfc25bd2501bcacfbb21a996a588fd98b27f15f61a1ed64d805eb4769d75a98e
-
SSDEEP
12288:UXrhbAh+QHBtCOCKNJVogekNI0dhm9HoiesJqsERSJZSBlKlAh+Xlb10VHmDXTuT:Ubah+zOBeb10hJaothZ2/T6FBBB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2752 79bac15fd0cb98600ca831073ec46437.exe -
Executes dropped EXE 1 IoCs
pid Process 2752 79bac15fd0cb98600ca831073ec46437.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 pastebin.com 4 pastebin.com -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3272 79bac15fd0cb98600ca831073ec46437.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3272 79bac15fd0cb98600ca831073ec46437.exe 2752 79bac15fd0cb98600ca831073ec46437.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3272 wrote to memory of 2752 3272 79bac15fd0cb98600ca831073ec46437.exe 86 PID 3272 wrote to memory of 2752 3272 79bac15fd0cb98600ca831073ec46437.exe 86 PID 3272 wrote to memory of 2752 3272 79bac15fd0cb98600ca831073ec46437.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\79bac15fd0cb98600ca831073ec46437.exe"C:\Users\Admin\AppData\Local\Temp\79bac15fd0cb98600ca831073ec46437.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\79bac15fd0cb98600ca831073ec46437.exeC:\Users\Admin\AppData\Local\Temp\79bac15fd0cb98600ca831073ec46437.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
771KB
MD574fe13b62509aef890dbb0fe00c67653
SHA1e1924b37899f932c627ed675520b71a09b1f3bf1
SHA2565e597a025b34e58c5f27d0dc55566b7b879a43ab9bd24939eca3f9f6ef00d420
SHA51295a45e492e6bf782bd32dd9185c23f3243029d77a8d271dfc9313b04040736d4d7a32ade8cc21de8dee7aa3e7b5f5e5428c36b861ab9beaa8c2ab6c9993edbc3