Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25/02/2024, 17:51
Static task
static1
Behavioral task
behavioral1
Sample
a468ec4d10506f7ec7adbc4eacf9d347.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a468ec4d10506f7ec7adbc4eacf9d347.exe
Resource
win10v2004-20240221-en
General
-
Target
a468ec4d10506f7ec7adbc4eacf9d347.exe
-
Size
506KB
-
MD5
a468ec4d10506f7ec7adbc4eacf9d347
-
SHA1
c6d05cb4b093391565b215bcc0e3e2dc276bd243
-
SHA256
e205685449dfcbdc2b5128a68c86f8272b46bcf6f649088269c790ac008fa803
-
SHA512
bcb41a67fafb0927cfb548d3e03c2619f72b3f5ac407dac63f66f325c39fb0a48a25bdd6b93bb0d771a1a6dacce1092629d6ff9425363f4916d9ebb1c9fd9f60
-
SSDEEP
12288:Mtt5uXEFXORcnqnKVpQYP/9GGo3jWBMFGVqrM8z7s1uA:kXORcnJVIzHGqY83s
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4056 a468ec4d10506f7ec7adbc4eacf9d347.exe -
Executes dropped EXE 1 IoCs
pid Process 4056 a468ec4d10506f7ec7adbc4eacf9d347.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 15 pastebin.com 17 pastebin.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4056 a468ec4d10506f7ec7adbc4eacf9d347.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3468 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4056 a468ec4d10506f7ec7adbc4eacf9d347.exe 4056 a468ec4d10506f7ec7adbc4eacf9d347.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3968 a468ec4d10506f7ec7adbc4eacf9d347.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3968 a468ec4d10506f7ec7adbc4eacf9d347.exe 4056 a468ec4d10506f7ec7adbc4eacf9d347.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3968 wrote to memory of 4056 3968 a468ec4d10506f7ec7adbc4eacf9d347.exe 86 PID 3968 wrote to memory of 4056 3968 a468ec4d10506f7ec7adbc4eacf9d347.exe 86 PID 3968 wrote to memory of 4056 3968 a468ec4d10506f7ec7adbc4eacf9d347.exe 86 PID 4056 wrote to memory of 3468 4056 a468ec4d10506f7ec7adbc4eacf9d347.exe 87 PID 4056 wrote to memory of 3468 4056 a468ec4d10506f7ec7adbc4eacf9d347.exe 87 PID 4056 wrote to memory of 3468 4056 a468ec4d10506f7ec7adbc4eacf9d347.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\a468ec4d10506f7ec7adbc4eacf9d347.exe"C:\Users\Admin\AppData\Local\Temp\a468ec4d10506f7ec7adbc4eacf9d347.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Users\Admin\AppData\Local\Temp\a468ec4d10506f7ec7adbc4eacf9d347.exeC:\Users\Admin\AppData\Local\Temp\a468ec4d10506f7ec7adbc4eacf9d347.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\a468ec4d10506f7ec7adbc4eacf9d347.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:3468
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
506KB
MD5d748c8e8e1fafee2c9f57773abd022d4
SHA1aa3bf932a9d8e003893450fcee1449c4fabbc014
SHA25650187e2a5ad23a6d9e16b07342101bcbcd2e90506b5a919baa25e220056cb8a5
SHA51225dd060c63b3ba17b07b956268ff708f497dd5c7c82380a9f9d5c8c5209ca77b964e46ac70f1967d50ad050a4f5b184c0b9979298aa7d1475601725435c4777d