Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2024, 16:02
Behavioral task
behavioral1
Sample
ac485292bf72ab2700ed458b641308a6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ac485292bf72ab2700ed458b641308a6.exe
Resource
win10v2004-20240226-en
General
-
Target
ac485292bf72ab2700ed458b641308a6.exe
-
Size
5.8MB
-
MD5
ac485292bf72ab2700ed458b641308a6
-
SHA1
2000f65e037e3ad198a20637cf7f4b1541658c8f
-
SHA256
d6f78f9c1cbe7f01ef97cb6b384296b5d9ecec480e9d68e16e7a21f69c895db5
-
SHA512
917a2e6d7acbb0f0cdd563b77dc93d79a020b82570e2169eb742e98439eee87572968641ab555cc72d272532c7c83e7f4aad51b94d9b642b62d5cf740f401c81
-
SSDEEP
98304:rwonZXuHOtruvshvWCgg3gnl/IVUs1jePsSNZXmri/2kSmiLgg3gnl/IVUs1jePs:04riv2Pgl/iBiPRNoriBAgl/iBiP
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3040 ac485292bf72ab2700ed458b641308a6.exe -
Executes dropped EXE 1 IoCs
pid Process 3040 ac485292bf72ab2700ed458b641308a6.exe -
resource yara_rule behavioral2/memory/1384-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x0008000000023203-11.dat upx behavioral2/memory/3040-14-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1384 ac485292bf72ab2700ed458b641308a6.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1384 ac485292bf72ab2700ed458b641308a6.exe 3040 ac485292bf72ab2700ed458b641308a6.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1384 wrote to memory of 3040 1384 ac485292bf72ab2700ed458b641308a6.exe 86 PID 1384 wrote to memory of 3040 1384 ac485292bf72ab2700ed458b641308a6.exe 86 PID 1384 wrote to memory of 3040 1384 ac485292bf72ab2700ed458b641308a6.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac485292bf72ab2700ed458b641308a6.exe"C:\Users\Admin\AppData\Local\Temp\ac485292bf72ab2700ed458b641308a6.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\ac485292bf72ab2700ed458b641308a6.exeC:\Users\Admin\AppData\Local\Temp\ac485292bf72ab2700ed458b641308a6.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3040
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.8MB
MD501ad4e702cc47601b268401164043360
SHA1ad24f2de8d4dd1dd9c3fa4b58050648a622575c7
SHA256d45e87b8479b950c75f52eb5bccd9a1a4231a3589c22484aba3309af1aa76d55
SHA51253c53240e5f09bfa5c844ef0dce455226bb4f6c608775b85afdf0b9bddd1ecf8afd16b5d25145d69ded69e01f0a957fcddf37182451275eea47ee96d1b69102e