Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2024, 06:04
Static task
static1
Behavioral task
behavioral1
Sample
8e6613a2564e99d98781a795f4cc57ce.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8e6613a2564e99d98781a795f4cc57ce.exe
Resource
win10v2004-20231215-en
General
-
Target
8e6613a2564e99d98781a795f4cc57ce.exe
-
Size
16KB
-
MD5
8e6613a2564e99d98781a795f4cc57ce
-
SHA1
2e29210e55235f5a9a5b8c0120b9682c08318465
-
SHA256
b32e99e981523dc367b400352de5a13930171675d3d5f8e83a6d7ab3e2689144
-
SHA512
89db3fccc2bb4c5fda977068b7d74cf7f8561c741bec87ded905888c7d4e664896346b7fcabea59e869dbefd5bafc239b85294b800fcc9b2bf241b931af2458a
-
SSDEEP
384:cfWuKW6z/JB2vDlmZ6mZl34LXL96/6/ZJxtF3M9FFUl8NIK:LjJB2pfV6/6hJxtef7
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1796 ODBCJET.exe 2148 ODBCJET.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\ODBCJET.exe 8e6613a2564e99d98781a795f4cc57ce.exe File opened for modification C:\Windows\SysWOW64\ODBCJET.exe 8e6613a2564e99d98781a795f4cc57ce.exe File created C:\Windows\SysWOW64\ODBCJET.exe ODBCJET.exe File created C:\Windows\SysWOW64\Del.bat ODBCJET.exe File opened for modification C:\Windows\SysWOW64\Del.bat 8e6613a2564e99d98781a795f4cc57ce.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3604 8e6613a2564e99d98781a795f4cc57ce.exe 1796 ODBCJET.exe 2148 ODBCJET.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3604 wrote to memory of 1796 3604 8e6613a2564e99d98781a795f4cc57ce.exe 86 PID 3604 wrote to memory of 1796 3604 8e6613a2564e99d98781a795f4cc57ce.exe 86 PID 3604 wrote to memory of 1796 3604 8e6613a2564e99d98781a795f4cc57ce.exe 86 PID 1796 wrote to memory of 2148 1796 ODBCJET.exe 87 PID 1796 wrote to memory of 2148 1796 ODBCJET.exe 87 PID 1796 wrote to memory of 2148 1796 ODBCJET.exe 87 PID 1796 wrote to memory of 1912 1796 ODBCJET.exe 91 PID 1796 wrote to memory of 1912 1796 ODBCJET.exe 91 PID 1796 wrote to memory of 1912 1796 ODBCJET.exe 91 PID 3604 wrote to memory of 3680 3604 8e6613a2564e99d98781a795f4cc57ce.exe 90 PID 3604 wrote to memory of 3680 3604 8e6613a2564e99d98781a795f4cc57ce.exe 90 PID 3604 wrote to memory of 3680 3604 8e6613a2564e99d98781a795f4cc57ce.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e6613a2564e99d98781a795f4cc57ce.exe"C:\Users\Admin\AppData\Local\Temp\8e6613a2564e99d98781a795f4cc57ce.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\ODBCJET.exeC:\Windows\system32\ODBCJET.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\ODBCJET.exeC:\Windows\system32\ODBCJET.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2148
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Del.bat3⤵PID:1912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Del.bat2⤵PID:3680
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
127B
MD5953323bac5967263d8924b1f07c45fc1
SHA143880a8bef7b40e2e171ff1171b8ecec4064a921
SHA256fb77476faf64748b6d7c2269a1455bbbd4ca44bc723552b7ec03682506767a97
SHA512552b3a6aa2429983f3f9253b59aec74d4ef9dd7ed42749fb0b0297d9ff41f74115bccd96759545ebc228c71e91bb9e837d0ac41ac93f5052639b6fddebd62e22
-
Filesize
16KB
MD58e6613a2564e99d98781a795f4cc57ce
SHA12e29210e55235f5a9a5b8c0120b9682c08318465
SHA256b32e99e981523dc367b400352de5a13930171675d3d5f8e83a6d7ab3e2689144
SHA51289db3fccc2bb4c5fda977068b7d74cf7f8561c741bec87ded905888c7d4e664896346b7fcabea59e869dbefd5bafc239b85294b800fcc9b2bf241b931af2458a