Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
128s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2024, 13:01
Static task
static1
Behavioral task
behavioral1
Sample
7a525b492d5678253fa3f5b38408a1d8.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7a525b492d5678253fa3f5b38408a1d8.exe
Resource
win10v2004-20231215-en
General
-
Target
7a525b492d5678253fa3f5b38408a1d8.exe
-
Size
506KB
-
MD5
7a525b492d5678253fa3f5b38408a1d8
-
SHA1
1adf8745113b9ec8454bf98ee1b44caaafb70a90
-
SHA256
fcc40608bd203d8611ef32f0a12ba60a60d3de316ba6fc79f3b093517a49ddc0
-
SHA512
b955722d4a93c75bc14a7bee0425884379346b9f3dfad309159f50c7531a5c053a100ac9eb188ffa7f6556edbe286a71a6fefd17638bfdf7344ab6d93c8e2a5d
-
SSDEEP
12288:9HYQh0Za0aMNNnv8123le8Sjxv3PIfSicJ9yjXF3fS:9xuaMNtv8Setv9ibS
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2424 7a525b492d5678253fa3f5b38408a1d8.exe -
Executes dropped EXE 1 IoCs
pid Process 2424 7a525b492d5678253fa3f5b38408a1d8.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 pastebin.com 10 pastebin.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2424 7a525b492d5678253fa3f5b38408a1d8.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5028 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2424 7a525b492d5678253fa3f5b38408a1d8.exe 2424 7a525b492d5678253fa3f5b38408a1d8.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 948 7a525b492d5678253fa3f5b38408a1d8.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 948 7a525b492d5678253fa3f5b38408a1d8.exe 2424 7a525b492d5678253fa3f5b38408a1d8.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 948 wrote to memory of 2424 948 7a525b492d5678253fa3f5b38408a1d8.exe 87 PID 948 wrote to memory of 2424 948 7a525b492d5678253fa3f5b38408a1d8.exe 87 PID 948 wrote to memory of 2424 948 7a525b492d5678253fa3f5b38408a1d8.exe 87 PID 2424 wrote to memory of 5028 2424 7a525b492d5678253fa3f5b38408a1d8.exe 91 PID 2424 wrote to memory of 5028 2424 7a525b492d5678253fa3f5b38408a1d8.exe 91 PID 2424 wrote to memory of 5028 2424 7a525b492d5678253fa3f5b38408a1d8.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a525b492d5678253fa3f5b38408a1d8.exe"C:\Users\Admin\AppData\Local\Temp\7a525b492d5678253fa3f5b38408a1d8.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\7a525b492d5678253fa3f5b38408a1d8.exeC:\Users\Admin\AppData\Local\Temp\7a525b492d5678253fa3f5b38408a1d8.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\7a525b492d5678253fa3f5b38408a1d8.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:5028
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154KB
MD55f0c0ef5c03e96e84de1b07b79544b49
SHA17c0420754946e3cd5884bce3b1813632b7b403d5
SHA25627f120accf577df727051d0b60b8b038686dc209c4ee163f5a47f024dbe58140
SHA51242a01704d5c0d74667446762ff821f26abe3352c14be83587837b4ef1645819565212e2958fc75f988f002d801cc6ebdefc016a0ca16104f3749dc4008789901