Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/03/2024, 13:59
Behavioral task
behavioral1
Sample
b24d204772ac32d11a09fa611078a1b4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b24d204772ac32d11a09fa611078a1b4.exe
Resource
win10v2004-20240226-en
General
-
Target
b24d204772ac32d11a09fa611078a1b4.exe
-
Size
10KB
-
MD5
b24d204772ac32d11a09fa611078a1b4
-
SHA1
d1037bacf78a1553060a3fccf9a366552bba95ee
-
SHA256
1b3ff3186a922c56d2878b848eae40037a754882705c2af4b33e851cf26d7859
-
SHA512
633c488a871fcd059fbe656980cf142fa32414c101db4b86655d2557583e5c2c721d8532776c41791c9370d8914773eee9c791f6b1b16b2637a75bc5c40d904d
-
SSDEEP
192:bMxYI3Z07C9Y4Mgkd92/O7lXsZnH1KYzWTpfuv+0b4fwGlAdRpXbxXMb+:4xLJ07bHo/GknH1KYaAv+02lIW+
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 1760 mduaeyk.exe -
resource yara_rule behavioral2/memory/2632-0-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/files/0x0008000000023238-4.dat upx behavioral2/memory/2632-8-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/1760-10-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\mduaey.dll b24d204772ac32d11a09fa611078a1b4.exe File created C:\Windows\SysWOW64\mduaeyk.exe b24d204772ac32d11a09fa611078a1b4.exe File opened for modification C:\Windows\SysWOW64\mduaeyk.exe b24d204772ac32d11a09fa611078a1b4.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2632 wrote to memory of 1760 2632 b24d204772ac32d11a09fa611078a1b4.exe 87 PID 2632 wrote to memory of 1760 2632 b24d204772ac32d11a09fa611078a1b4.exe 87 PID 2632 wrote to memory of 1760 2632 b24d204772ac32d11a09fa611078a1b4.exe 87 PID 2632 wrote to memory of 976 2632 b24d204772ac32d11a09fa611078a1b4.exe 91 PID 2632 wrote to memory of 976 2632 b24d204772ac32d11a09fa611078a1b4.exe 91 PID 2632 wrote to memory of 976 2632 b24d204772ac32d11a09fa611078a1b4.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\b24d204772ac32d11a09fa611078a1b4.exe"C:\Users\Admin\AppData\Local\Temp\b24d204772ac32d11a09fa611078a1b4.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\mduaeyk.exeC:\Windows\system32\mduaeyk.exe ˜‰2⤵
- Executes dropped EXE
PID:1760
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\b24d204772ac32d11a09fa611078a1b4.exe.bat2⤵PID:976
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD5471f2c1ffcb997493e64179948ca43ab
SHA110b484c6f76a430ca133dc51b21891a303b3d808
SHA256e52d758998118a279a07385b2cf5b5793a1335308eb6c6eb5deaecf248bf4e49
SHA5122419fe56232ad920124849d468545899f759a25873810a299a5da2e15976dc92bf485f1ffbf9c5fc1536fcf4a1b01c6495c15d0789b64332be1a2491c1da1458
-
Filesize
10KB
MD5b24d204772ac32d11a09fa611078a1b4
SHA1d1037bacf78a1553060a3fccf9a366552bba95ee
SHA2561b3ff3186a922c56d2878b848eae40037a754882705c2af4b33e851cf26d7859
SHA512633c488a871fcd059fbe656980cf142fa32414c101db4b86655d2557583e5c2c721d8532776c41791c9370d8914773eee9c791f6b1b16b2637a75bc5c40d904d