Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2024, 20:00
Static task
static1
Behavioral task
behavioral1
Sample
90067334cb95dbfedebf32ca2c8607d8.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
90067334cb95dbfedebf32ca2c8607d8.exe
Resource
win10v2004-20231215-en
General
-
Target
90067334cb95dbfedebf32ca2c8607d8.exe
-
Size
1000KB
-
MD5
90067334cb95dbfedebf32ca2c8607d8
-
SHA1
c1ccbd5ae43a06ca5550b39e2f4c11782568c4ec
-
SHA256
dd909d698f344c5029a9d119550e091dfbc803457174ab06c7b3242c495711bc
-
SHA512
8ed07b1c3bf9978eae26824aed094a9227800e506adeb803f6d2e95de7f929f4654c4a0e73726d54ad3cdc28c51246704296ef2592cdfb88cd5f688373648251
-
SSDEEP
24576:iew286NHx5ckQpeeXt8b1B+5vMiqt0gj2ed:9w5qjBQpf98zqOL
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 368 90067334cb95dbfedebf32ca2c8607d8.exe -
Executes dropped EXE 1 IoCs
pid Process 368 90067334cb95dbfedebf32ca2c8607d8.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 19 pastebin.com 22 pastebin.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 368 90067334cb95dbfedebf32ca2c8607d8.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1732 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 368 90067334cb95dbfedebf32ca2c8607d8.exe 368 90067334cb95dbfedebf32ca2c8607d8.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2144 90067334cb95dbfedebf32ca2c8607d8.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2144 90067334cb95dbfedebf32ca2c8607d8.exe 368 90067334cb95dbfedebf32ca2c8607d8.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2144 wrote to memory of 368 2144 90067334cb95dbfedebf32ca2c8607d8.exe 84 PID 2144 wrote to memory of 368 2144 90067334cb95dbfedebf32ca2c8607d8.exe 84 PID 2144 wrote to memory of 368 2144 90067334cb95dbfedebf32ca2c8607d8.exe 84 PID 368 wrote to memory of 1732 368 90067334cb95dbfedebf32ca2c8607d8.exe 85 PID 368 wrote to memory of 1732 368 90067334cb95dbfedebf32ca2c8607d8.exe 85 PID 368 wrote to memory of 1732 368 90067334cb95dbfedebf32ca2c8607d8.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\90067334cb95dbfedebf32ca2c8607d8.exe"C:\Users\Admin\AppData\Local\Temp\90067334cb95dbfedebf32ca2c8607d8.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\90067334cb95dbfedebf32ca2c8607d8.exeC:\Users\Admin\AppData\Local\Temp\90067334cb95dbfedebf32ca2c8607d8.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\90067334cb95dbfedebf32ca2c8607d8.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:1732
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1000KB
MD5fe8527cd1237c5e50572f56a04794618
SHA1a6d6aa2265f4d2f0b2ff709983e74db96d48c373
SHA256702f3743d65049af61162482b75ea3dfa1435cb1aa45232611868b6121ab4871
SHA512e4d5039d2c3f7a2981a9380c85f0e63033f4de1c95e0fdc4991206d92da848e160ca2af9ebca42165c07ad629ac647ac6d1e4a90f7cc5c3fd44ff88645581db8