Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2024, 01:28
Static task
static1
Behavioral task
behavioral1
Sample
95e4a40e2b61c00947160104d4c8a94d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
95e4a40e2b61c00947160104d4c8a94d.exe
Resource
win10v2004-20231215-en
General
-
Target
95e4a40e2b61c00947160104d4c8a94d.exe
-
Size
1000KB
-
MD5
95e4a40e2b61c00947160104d4c8a94d
-
SHA1
c498c470e952f995173ef76e900793ee0765581d
-
SHA256
91ca34519f4ec83fcd179dbdd2ac6cdb6da509b37ba8fe021517edd0025cedbe
-
SHA512
e3a46c7bcb6fd1fed3cc462a424d5d023b7e4dc7cb1589d7610d2cc283b0590161eaef6d8a469b6be7de37a036fdff4c468ed1947a010ec0c6f9c63d5be2c637
-
SSDEEP
12288:u8JvfSREkDsTEt3PP8FooSPfJEImY+FHq3agnRBplpIQni7RvXVGKkok04SXVLS7:M8iHcl9N1SoX4S7yb1B+5vMiqt0gj2ed
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4948 95e4a40e2b61c00947160104d4c8a94d.exe -
Executes dropped EXE 1 IoCs
pid Process 4948 95e4a40e2b61c00947160104d4c8a94d.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 9 pastebin.com 11 pastebin.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4948 95e4a40e2b61c00947160104d4c8a94d.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3680 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4948 95e4a40e2b61c00947160104d4c8a94d.exe 4948 95e4a40e2b61c00947160104d4c8a94d.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3296 95e4a40e2b61c00947160104d4c8a94d.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3296 95e4a40e2b61c00947160104d4c8a94d.exe 4948 95e4a40e2b61c00947160104d4c8a94d.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3296 wrote to memory of 4948 3296 95e4a40e2b61c00947160104d4c8a94d.exe 85 PID 3296 wrote to memory of 4948 3296 95e4a40e2b61c00947160104d4c8a94d.exe 85 PID 3296 wrote to memory of 4948 3296 95e4a40e2b61c00947160104d4c8a94d.exe 85 PID 4948 wrote to memory of 3680 4948 95e4a40e2b61c00947160104d4c8a94d.exe 86 PID 4948 wrote to memory of 3680 4948 95e4a40e2b61c00947160104d4c8a94d.exe 86 PID 4948 wrote to memory of 3680 4948 95e4a40e2b61c00947160104d4c8a94d.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\95e4a40e2b61c00947160104d4c8a94d.exe"C:\Users\Admin\AppData\Local\Temp\95e4a40e2b61c00947160104d4c8a94d.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\95e4a40e2b61c00947160104d4c8a94d.exeC:\Users\Admin\AppData\Local\Temp\95e4a40e2b61c00947160104d4c8a94d.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\95e4a40e2b61c00947160104d4c8a94d.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:3680
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1000KB
MD5d106ea6aa53d055db5cf18c77c0727f9
SHA1b91e0b5278be940de1414ecf157f61b3cd80feef
SHA256415cf44bd3dcddf492ae653d2ff7c7f1566ab8384a8e91937ed6297c05e04be5
SHA5120c9ff1f1c72eae446bf1fa40e4c909214939f76d6dd8d1f6e3880f1157a2ce21fc6c823d22d3b4ee639ca17ae59d8fe8b22bea97974803cf77542ab0e524a06e