Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2024, 15:52
Static task
static1
Behavioral task
behavioral1
Sample
ac4376d44c698c6c53e63f5b011b2fd7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ac4376d44c698c6c53e63f5b011b2fd7.exe
Resource
win10v2004-20240226-en
General
-
Target
ac4376d44c698c6c53e63f5b011b2fd7.exe
-
Size
771KB
-
MD5
ac4376d44c698c6c53e63f5b011b2fd7
-
SHA1
22737c17f5a63ee20b7dce42ec2bddc4f5a39421
-
SHA256
aefbb23103c6764bff0c7326b7c083f11c40904031a38425d94f1c7834c749a0
-
SHA512
64180457443ab066a7a62a8e51e6c184e2dd9213a453d200d8b61b3633a88a7cf9e8fe0cd67cc21075169fff8261d7b2ba4ff64ed89fd6337213de435f59b3ff
-
SSDEEP
24576:gLkobHg6xW4bSZ/MXb10hJaothZ2/T6FBBB:QU8V8ML/ofT
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3960 ac4376d44c698c6c53e63f5b011b2fd7.exe -
Executes dropped EXE 1 IoCs
pid Process 3960 ac4376d44c698c6c53e63f5b011b2fd7.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 32 pastebin.com 33 pastebin.com -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2440 ac4376d44c698c6c53e63f5b011b2fd7.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2440 ac4376d44c698c6c53e63f5b011b2fd7.exe 3960 ac4376d44c698c6c53e63f5b011b2fd7.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2440 wrote to memory of 3960 2440 ac4376d44c698c6c53e63f5b011b2fd7.exe 97 PID 2440 wrote to memory of 3960 2440 ac4376d44c698c6c53e63f5b011b2fd7.exe 97 PID 2440 wrote to memory of 3960 2440 ac4376d44c698c6c53e63f5b011b2fd7.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac4376d44c698c6c53e63f5b011b2fd7.exe"C:\Users\Admin\AppData\Local\Temp\ac4376d44c698c6c53e63f5b011b2fd7.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\ac4376d44c698c6c53e63f5b011b2fd7.exeC:\Users\Admin\AppData\Local\Temp\ac4376d44c698c6c53e63f5b011b2fd7.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵PID:4388
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
771KB
MD5c94cc5ded684c7da35f246314c42292b
SHA119b872f9b14e9f7a06de9c971f293c90914cba4f
SHA256ba15010a4f039136ce6c3bfc26654bb64239f7fd4454454ae17d4c626166a61e
SHA51264333ae815f4c3cd127844624dbfe8103fb5013352d039870c7f747a52b7660c7f3232b7a870614441759ed9a2917c8659f6063292f70a7ea48206f9ed3489ae