Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
87s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2024, 10:50
Static task
static1
Behavioral task
behavioral1
Sample
86b42971b2ff27569006b24f34395768.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
86b42971b2ff27569006b24f34395768.exe
Resource
win10v2004-20231222-en
General
-
Target
86b42971b2ff27569006b24f34395768.exe
-
Size
385KB
-
MD5
86b42971b2ff27569006b24f34395768
-
SHA1
ff28393cee82d65410198410b6871919134a2878
-
SHA256
d21751556aa42fab53b17a196f85cebe3c077900c4a435a011f0c7b246ba1101
-
SHA512
68b1abe4979bf8fcf8e84b7246d6dda15acab7769c5ec3ebec881407ef5a016def5249457d7f5a92758e13d79a2010163e0e1fb2a9d73093dff9005594f11353
-
SSDEEP
6144:LyjN+WXYXVxkwcrIFbzb/ph3hai/9BC88WITIjd1Dwi3y2HjWG/ue6QB:mh92VOBrsph3l/9BUB0RyGy+jW2EQB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3512 86b42971b2ff27569006b24f34395768.exe -
Executes dropped EXE 1 IoCs
pid Process 3512 86b42971b2ff27569006b24f34395768.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 pastebin.com 8 pastebin.com -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3864 86b42971b2ff27569006b24f34395768.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3864 86b42971b2ff27569006b24f34395768.exe 3512 86b42971b2ff27569006b24f34395768.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3864 wrote to memory of 3512 3864 86b42971b2ff27569006b24f34395768.exe 87 PID 3864 wrote to memory of 3512 3864 86b42971b2ff27569006b24f34395768.exe 87 PID 3864 wrote to memory of 3512 3864 86b42971b2ff27569006b24f34395768.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\86b42971b2ff27569006b24f34395768.exe"C:\Users\Admin\AppData\Local\Temp\86b42971b2ff27569006b24f34395768.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\86b42971b2ff27569006b24f34395768.exeC:\Users\Admin\AppData\Local\Temp\86b42971b2ff27569006b24f34395768.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3512
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD5791b45c72f9d2e60befbe31964b9282f
SHA1fb318fda2b4d47fdec394f65a408546b183373ba
SHA256b30f9f8db3c23fc9f8deff1806254ae4d0fcddab7c679c202f4db154fc67eb92
SHA5124cdad7953b75c9bee81dc73a42ff632c87b3f8b22335ed9bfe554b0b96b19ef699ef5c01949fdcf2bc7aa1679d75e8c29d1d69af9534acc805c102ba21b94c63