Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/03/2024, 13:48
Static task
static1
Behavioral task
behavioral1
Sample
b2486ed2ec8b234515f747250166d7c3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b2486ed2ec8b234515f747250166d7c3.exe
Resource
win10v2004-20240226-en
General
-
Target
b2486ed2ec8b234515f747250166d7c3.exe
-
Size
140KB
-
MD5
b2486ed2ec8b234515f747250166d7c3
-
SHA1
38d50958c03209391c3a8fcdd0f23ffcdc04e449
-
SHA256
5d347fa0e9c1340832916ba3c9ab224d9645e43ed3dfb4c725a333213b5bb22e
-
SHA512
fd90843ee3c68a50589598ea5c2bd2853b9487488d4a4fcaf714841f5cdc937e3efeee5366d802f98bf7a4ed5882e786a0318451b574992ae26b30be056193df
-
SSDEEP
3072:nhAEXD5RmGhbpqFHTm+Cu2LgrAa7jx3BDVH1x5XrU:qERbUFGuOgrAafxRDVL5I
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1312 rotr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ieuu = "\"C:\\Program Files (x86)\\unue\\rotr.exe\" -vt mt" rotr.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ieuu = "\"C:\\Program Files (x86)\\unue\\rotr.exe\" -vt mt" b2486ed2ec8b234515f747250166d7c3.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\unue\rotr.exe b2486ed2ec8b234515f747250166d7c3.exe File created C:\Program Files (x86)\unue\rotr.exe b2486ed2ec8b234515f747250166d7c3.exe File opened for modification C:\Program Files (x86)\unue\rotr.exe rotr.exe File created C:\Program Files (x86)\unue\rotr.exe rotr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4488 wrote to memory of 1312 4488 b2486ed2ec8b234515f747250166d7c3.exe 87 PID 4488 wrote to memory of 1312 4488 b2486ed2ec8b234515f747250166d7c3.exe 87 PID 4488 wrote to memory of 1312 4488 b2486ed2ec8b234515f747250166d7c3.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2486ed2ec8b234515f747250166d7c3.exe"C:\Users\Admin\AppData\Local\Temp\b2486ed2ec8b234515f747250166d7c3.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Program Files (x86)\unue\rotr.exe"C:\Program Files (x86)\unue\rotr.exe" -vt mt2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:1312
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD5b2486ed2ec8b234515f747250166d7c3
SHA138d50958c03209391c3a8fcdd0f23ffcdc04e449
SHA2565d347fa0e9c1340832916ba3c9ab224d9645e43ed3dfb4c725a333213b5bb22e
SHA512fd90843ee3c68a50589598ea5c2bd2853b9487488d4a4fcaf714841f5cdc937e3efeee5366d802f98bf7a4ed5882e786a0318451b574992ae26b30be056193df