Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2024, 18:40
Behavioral task
behavioral1
Sample
8a40e729cf33d06ed1fdd3ea5260d195.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8a40e729cf33d06ed1fdd3ea5260d195.exe
Resource
win10v2004-20231222-en
General
-
Target
8a40e729cf33d06ed1fdd3ea5260d195.exe
-
Size
2.9MB
-
MD5
8a40e729cf33d06ed1fdd3ea5260d195
-
SHA1
9fa9fc6842ec77087cef3db536697cdb6cdaa913
-
SHA256
5b714887317eca02f7aaa57e97c8d46ac1025e07c6b82c0d7e544baf51f6914d
-
SHA512
10a9decd70b90d4697efab02773da00b38f48d23c21807e214a33833fd6916c0c29ad757abd48077ba1b434a5484b8cbdeb38f9e81834aef34f8cab993a6ae7d
-
SSDEEP
49152:5L3b20S3MjtZGFyIAQc0aMZ4sUgCqKSP4M338dB2IBlGuuDVUsdxxjeQZwxPYRKs:5P2N3Mjt4FY0aMJUnqjgg3gnl/IVUs1h
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3708 8a40e729cf33d06ed1fdd3ea5260d195.exe -
Executes dropped EXE 1 IoCs
pid Process 3708 8a40e729cf33d06ed1fdd3ea5260d195.exe -
resource yara_rule behavioral2/memory/5056-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x00070000000231f7-11.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5056 8a40e729cf33d06ed1fdd3ea5260d195.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 5056 8a40e729cf33d06ed1fdd3ea5260d195.exe 3708 8a40e729cf33d06ed1fdd3ea5260d195.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5056 wrote to memory of 3708 5056 8a40e729cf33d06ed1fdd3ea5260d195.exe 88 PID 5056 wrote to memory of 3708 5056 8a40e729cf33d06ed1fdd3ea5260d195.exe 88 PID 5056 wrote to memory of 3708 5056 8a40e729cf33d06ed1fdd3ea5260d195.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe"C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exeC:\Users\Admin\AppData\Local\Temp\8a40e729cf33d06ed1fdd3ea5260d195.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3708
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD543efcf857760d0e8bc09def8d88e8c5e
SHA190874909c06fcd730dadd68d01dcedddd38d0180
SHA256f9ade04ed584c190a83bbde22bd94f99ebf3ac82bf1659c68f2c66135bb7c4db
SHA512790c11669e3d9584b559d3e54561c95db61340288d7fddb7c4dd3641f38fd2c88ebf8980c9fc683b6098c5ff6d2add69b8628e181f7e79e85749f20b0ed9ebee