Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/03/2024, 14:05
Behavioral task
behavioral1
Sample
b250c62b3f1da424611acaf3ab5621ce.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b250c62b3f1da424611acaf3ab5621ce.exe
Resource
win10v2004-20240226-en
General
-
Target
b250c62b3f1da424611acaf3ab5621ce.exe
-
Size
11KB
-
MD5
b250c62b3f1da424611acaf3ab5621ce
-
SHA1
a43ebdf943903fd5ac8d9cf890239218e6b5ce86
-
SHA256
4d4648899888a3eab3c24681b9478ec172d1605a2a4d8d7a1c6e939b4739e8eb
-
SHA512
5d42c443102f3d8bcb793d591a6dca79d045897ba275aa27f4733a767f534192c847cda480a99011888f9e32bdbad26650d4534a71bf765e18860b1b35e1ffcf
-
SSDEEP
192:0aww1AUaE0Pmr6iZTK+jZWPFfn6Kv1e1Box18KkNLPS7bg:JAK0PmOiZTZItnf1UB6GKkNL6Pg
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 4988 zfashlk.exe -
resource yara_rule behavioral2/memory/1632-0-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/files/0x0004000000022ea1-4.dat upx behavioral2/memory/1632-6-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/4988-7-0x0000000000400000-0x000000000040E000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\zfashl.dll b250c62b3f1da424611acaf3ab5621ce.exe File created C:\Windows\SysWOW64\zfashlk.exe b250c62b3f1da424611acaf3ab5621ce.exe File opened for modification C:\Windows\SysWOW64\zfashlk.exe b250c62b3f1da424611acaf3ab5621ce.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1632 b250c62b3f1da424611acaf3ab5621ce.exe 1632 b250c62b3f1da424611acaf3ab5621ce.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1632 wrote to memory of 4988 1632 b250c62b3f1da424611acaf3ab5621ce.exe 96 PID 1632 wrote to memory of 4988 1632 b250c62b3f1da424611acaf3ab5621ce.exe 96 PID 1632 wrote to memory of 4988 1632 b250c62b3f1da424611acaf3ab5621ce.exe 96 PID 1632 wrote to memory of 2772 1632 b250c62b3f1da424611acaf3ab5621ce.exe 99 PID 1632 wrote to memory of 2772 1632 b250c62b3f1da424611acaf3ab5621ce.exe 99 PID 1632 wrote to memory of 2772 1632 b250c62b3f1da424611acaf3ab5621ce.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe"C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\zfashlk.exeC:\Windows\system32\zfashlk.exe ˜‰2⤵
- Executes dropped EXE
PID:4988
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe.bat2⤵PID:2772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵PID:448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD54abb5163230be467435a2827f3b68eb8
SHA15d2019d79979f71474b25f0aecae903a7d73b2ce
SHA256284679f68ed1de52106de7ed96dfe033ea1132f2873ed5a18fc9f5a72b3e21b7
SHA512bd62daa58d797ce87a255e931dec507a4c583c5693f679703d932666ff266e5f0c4d8ed16e8d1a309a2d3f2f29debe30dc32589409ab9dfa7cf6f8cdcd49e377
-
Filesize
11KB
MD5b250c62b3f1da424611acaf3ab5621ce
SHA1a43ebdf943903fd5ac8d9cf890239218e6b5ce86
SHA2564d4648899888a3eab3c24681b9478ec172d1605a2a4d8d7a1c6e939b4739e8eb
SHA5125d42c443102f3d8bcb793d591a6dca79d045897ba275aa27f4733a767f534192c847cda480a99011888f9e32bdbad26650d4534a71bf765e18860b1b35e1ffcf