Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2024, 20:57
Static task
static1
Behavioral task
behavioral1
Sample
9795ec5ad4b08b431fc73808c28eec07.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9795ec5ad4b08b431fc73808c28eec07.exe
Resource
win10v2004-20231215-en
General
-
Target
9795ec5ad4b08b431fc73808c28eec07.exe
-
Size
385KB
-
MD5
9795ec5ad4b08b431fc73808c28eec07
-
SHA1
a2f8a3a0df431b413ebf538ff9c0bbd21937190d
-
SHA256
34a8ee6eba0da182a7e88746842ea699040e856a52a3eca62b8fbafbd9886fb0
-
SHA512
e6e3f6f71bccb40ee037c6a21bd412c4351049d699f9f8c2dc9ff4b693a661a0b4ca370eb4e2b01d13d0a6da0de102b10935fa8c2a65d612371020d417ec061f
-
SSDEEP
12288:/OxpqAqK2OfNWM7uisFDzf56fQEZdze8B:G0AHDsMOF8f/ze8B
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3808 9795ec5ad4b08b431fc73808c28eec07.exe -
Executes dropped EXE 1 IoCs
pid Process 3808 9795ec5ad4b08b431fc73808c28eec07.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 pastebin.com 7 pastebin.com -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3348 9795ec5ad4b08b431fc73808c28eec07.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3348 9795ec5ad4b08b431fc73808c28eec07.exe 3808 9795ec5ad4b08b431fc73808c28eec07.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3348 wrote to memory of 3808 3348 9795ec5ad4b08b431fc73808c28eec07.exe 84 PID 3348 wrote to memory of 3808 3348 9795ec5ad4b08b431fc73808c28eec07.exe 84 PID 3348 wrote to memory of 3808 3348 9795ec5ad4b08b431fc73808c28eec07.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\9795ec5ad4b08b431fc73808c28eec07.exe"C:\Users\Admin\AppData\Local\Temp\9795ec5ad4b08b431fc73808c28eec07.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\9795ec5ad4b08b431fc73808c28eec07.exeC:\Users\Admin\AppData\Local\Temp\9795ec5ad4b08b431fc73808c28eec07.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD5795e2cbc0f8934aa978d7f598d4ee847
SHA12a90916752bc63f73e061cc6d9c00e7a504de081
SHA256ecf2e0760e3e5228d938caf619a392740463e772a29db9777318eb53d10348e1
SHA5126bff82074ae53625a684c27abd7bb823185114c614bb7a73580d6edfdf9030f504e9e5d727e44a4426e0a5e8643450f5c7606b0faeac47d5e7255024451eb97e