Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25/02/2024, 06:51
Static task
static1
Behavioral task
behavioral1
Sample
a326b68cd2fe65d4afc8332cccbcebe8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a326b68cd2fe65d4afc8332cccbcebe8.exe
Resource
win10v2004-20240221-en
General
-
Target
a326b68cd2fe65d4afc8332cccbcebe8.exe
-
Size
385KB
-
MD5
a326b68cd2fe65d4afc8332cccbcebe8
-
SHA1
011ecb4892200813d1d90c588956f564b595828f
-
SHA256
9e9b564f58d8eabc82e5eb3c6bc5e50bd7b1f20982c04b3b71796dd94f958227
-
SHA512
e7ea29043248a7bdd7c366fca8ee2d1833e80542f065d3cd943ccc07f6fff86b3a5492e3f763945617931cc6252cd2e76a957c629f330938b115ce45d4e75286
-
SSDEEP
12288:jZFit36GpgyCcdQ1WiD9CiE5TbR1BglCB:9FiqGOyY1D9CrbRvglCB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4464 a326b68cd2fe65d4afc8332cccbcebe8.exe -
Executes dropped EXE 1 IoCs
pid Process 4464 a326b68cd2fe65d4afc8332cccbcebe8.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 11 pastebin.com 12 pastebin.com -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1580 a326b68cd2fe65d4afc8332cccbcebe8.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1580 a326b68cd2fe65d4afc8332cccbcebe8.exe 4464 a326b68cd2fe65d4afc8332cccbcebe8.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1580 wrote to memory of 4464 1580 a326b68cd2fe65d4afc8332cccbcebe8.exe 87 PID 1580 wrote to memory of 4464 1580 a326b68cd2fe65d4afc8332cccbcebe8.exe 87 PID 1580 wrote to memory of 4464 1580 a326b68cd2fe65d4afc8332cccbcebe8.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\a326b68cd2fe65d4afc8332cccbcebe8.exe"C:\Users\Admin\AppData\Local\Temp\a326b68cd2fe65d4afc8332cccbcebe8.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\a326b68cd2fe65d4afc8332cccbcebe8.exeC:\Users\Admin\AppData\Local\Temp\a326b68cd2fe65d4afc8332cccbcebe8.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD5f8f8ea04c51a304782115337eda485c4
SHA10003536e3f01934800e85b3825f2694653078dfe
SHA2566bb17019de6c904bdf6a68bd8cc897afeeccc8dc5927e1d9c9b029165bee7684
SHA512f529de35941a281c1d1c1c2ddbc551d34a3e49d93c5ad2617f75ffa67c3acff7cca627ee3621ab281a1c112efb8e6d7ac4e17c54700f00a12f97d14c006e02dc