Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2024, 01:28
Static task
static1
Behavioral task
behavioral1
Sample
88312d4109d49430e7ade9064ca2d252.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
88312d4109d49430e7ade9064ca2d252.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231222-en
General
-
Target
88312d4109d49430e7ade9064ca2d252.exe
-
Size
82KB
-
MD5
88312d4109d49430e7ade9064ca2d252
-
SHA1
8fb506a8792b26437d42cea2999f09dead604260
-
SHA256
e597c1588a75c77a9e41413069c649691a4fb8673281df15d98c4f13a6dcd684
-
SHA512
33027e3dcc6cfb0813db96c06f858be01172adf9ba68d9d5d1a8bee27319fede4410b9b0f5bb83795970e06340ad499fbc48b050032ad46f0f290fb9c1f46430
-
SSDEEP
1536:2EkjY1zy214Qay0DGkJ7qAELVigJvmcpUoJzv5oZaScIB2/D9k:dkjAJ4dDGkJ+AI0Qauzv5oZqT/R
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4168 Au_.exe -
Loads dropped DLL 2 IoCs
pid Process 4168 Au_.exe 4168 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023225-3.dat nsis_installer_1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2668 wrote to memory of 4168 2668 88312d4109d49430e7ade9064ca2d252.exe 87 PID 2668 wrote to memory of 4168 2668 88312d4109d49430e7ade9064ca2d252.exe 87 PID 2668 wrote to memory of 4168 2668 88312d4109d49430e7ade9064ca2d252.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\88312d4109d49430e7ade9064ca2d252.exe"C:\Users\Admin\AppData\Local\Temp\88312d4109d49430e7ade9064ca2d252.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4168
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5d765c492c21689e3d9d61634371fd861
SHA1ac200933671ae52c9d5544d0e2e8e9144d286c83
SHA256551e6042dd494ea01549555ffc194ab9729da09058ec714eb368dd06642c9bbc
SHA5129919a9e848c8f1e26c75d0d29207571e4b86a4140bd554743d2c1f8bd7f386fe4919345b163d89a5d907fb165e435ba0ac5f6b1101713636141f156a420e2e0f
-
Filesize
10KB
MD5fe24766ba314f620d57d0cf7339103c0
SHA18641545f03f03ff07485d6ec4d7b41cbb898c269
SHA256802ef71440f662f456bed6283a5ff78066af016897fe6bfd29cac6edc2967bbd
SHA51260d36959895cebf29c4e7713e6d414980139c7aa4ed1c8c96fefb672c1263af0ce909fb409534355895649c0e8056635112efb0da2ba05694446aec2ca77e2e3
-
Filesize
641B
MD504996d0c003bf8ee052745cc9745efc6
SHA15bf97c2e9eb559221ba207fc23758dc4f5a6b9ee
SHA25695ea492a159441521b8f738de37cb50c31dacbf153aa6d1aceedd8fed20585e5
SHA5127b376812750960342c7e8eaa77270fec609cfe82e5c6f3787373d7db5cef1c228edb0135a6cd3325bd41f099b46791586ea9a6821d91042b307c6d03512c1300
-
Filesize
82KB
MD588312d4109d49430e7ade9064ca2d252
SHA18fb506a8792b26437d42cea2999f09dead604260
SHA256e597c1588a75c77a9e41413069c649691a4fb8673281df15d98c4f13a6dcd684
SHA51233027e3dcc6cfb0813db96c06f858be01172adf9ba68d9d5d1a8bee27319fede4410b9b0f5bb83795970e06340ad499fbc48b050032ad46f0f290fb9c1f46430