Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/03/2024, 14:05

General

  • Target

    b250c62b3f1da424611acaf3ab5621ce.exe

  • Size

    11KB

  • MD5

    b250c62b3f1da424611acaf3ab5621ce

  • SHA1

    a43ebdf943903fd5ac8d9cf890239218e6b5ce86

  • SHA256

    4d4648899888a3eab3c24681b9478ec172d1605a2a4d8d7a1c6e939b4739e8eb

  • SHA512

    5d42c443102f3d8bcb793d591a6dca79d045897ba275aa27f4733a767f534192c847cda480a99011888f9e32bdbad26650d4534a71bf765e18860b1b35e1ffcf

  • SSDEEP

    192:0aww1AUaE0Pmr6iZTK+jZWPFfn6Kv1e1Box18KkNLPS7bg:JAK0PmOiZTZItnf1UB6GKkNL6Pg

Score
8/10

Malware Config

Signatures

  • Modifies AppInit DLL entries 2 TTPs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe
    "C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\SysWOW64\zfashlk.exe
      C:\Windows\system32\zfashlk.exe ˜‰
      2⤵
      • Executes dropped EXE
      PID:4988
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe.bat
      2⤵
        PID:2772
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:448

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe.bat

        Filesize

        182B

        MD5

        4abb5163230be467435a2827f3b68eb8

        SHA1

        5d2019d79979f71474b25f0aecae903a7d73b2ce

        SHA256

        284679f68ed1de52106de7ed96dfe033ea1132f2873ed5a18fc9f5a72b3e21b7

        SHA512

        bd62daa58d797ce87a255e931dec507a4c583c5693f679703d932666ff266e5f0c4d8ed16e8d1a309a2d3f2f29debe30dc32589409ab9dfa7cf6f8cdcd49e377

      • C:\Windows\SysWOW64\zfashlk.exe

        Filesize

        11KB

        MD5

        b250c62b3f1da424611acaf3ab5621ce

        SHA1

        a43ebdf943903fd5ac8d9cf890239218e6b5ce86

        SHA256

        4d4648899888a3eab3c24681b9478ec172d1605a2a4d8d7a1c6e939b4739e8eb

        SHA512

        5d42c443102f3d8bcb793d591a6dca79d045897ba275aa27f4733a767f534192c847cda480a99011888f9e32bdbad26650d4534a71bf765e18860b1b35e1ffcf

      • memory/1632-0-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

      • memory/1632-6-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

      • memory/4988-7-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB