Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2024, 23:40
Behavioral task
behavioral1
Sample
b5f39df2d1b5863c76b031b8ad046287.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b5f39df2d1b5863c76b031b8ad046287.exe
Resource
win10v2004-20240226-en
General
-
Target
b5f39df2d1b5863c76b031b8ad046287.exe
-
Size
1.5MB
-
MD5
b5f39df2d1b5863c76b031b8ad046287
-
SHA1
af30e22670423e4cf2a0c337b7525b15142801e0
-
SHA256
9425565c1c89b1dda680906e4d4454dc1c5201c402046a53ff1a669a91abdf4e
-
SHA512
fbb426df15ecab475402e6e69d683f90e3facaeced877b51b702be6b613ae1ec61e48d14506cd60a393802cf8385e1e8c21d49a01ca86c34043f9c91e8fbb937
-
SSDEEP
24576:YO7oouzuacf4xq6vYEDxgBfeRSWno5exPdgH4aRW:p7duzulQx/vbDxwfIXoAxFHI
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1172 b5f39df2d1b5863c76b031b8ad046287.exe -
Executes dropped EXE 1 IoCs
pid Process 1172 b5f39df2d1b5863c76b031b8ad046287.exe -
resource yara_rule behavioral2/memory/3104-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x000900000002321f-11.dat upx behavioral2/memory/1172-13-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3104 b5f39df2d1b5863c76b031b8ad046287.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3104 b5f39df2d1b5863c76b031b8ad046287.exe 1172 b5f39df2d1b5863c76b031b8ad046287.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3104 wrote to memory of 1172 3104 b5f39df2d1b5863c76b031b8ad046287.exe 87 PID 3104 wrote to memory of 1172 3104 b5f39df2d1b5863c76b031b8ad046287.exe 87 PID 3104 wrote to memory of 1172 3104 b5f39df2d1b5863c76b031b8ad046287.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5f39df2d1b5863c76b031b8ad046287.exe"C:\Users\Admin\AppData\Local\Temp\b5f39df2d1b5863c76b031b8ad046287.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\b5f39df2d1b5863c76b031b8ad046287.exeC:\Users\Admin\AppData\Local\Temp\b5f39df2d1b5863c76b031b8ad046287.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1172
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD54ddb6d5c78e4c5b20d6f5711a6194211
SHA1d3fed50743d3f487c29d9c0483650da8db0f46ba
SHA2566241b5cc2dee1ca2a4a4fc7c6997da88237f150753f22b46d2dfc2230c077d49
SHA51292bd5b461176e564b2d4970668d760f06b8dfcda3bf4023620e973f715db0b2f647aa0f9297eab960286c29316cbd7189f27bd7f507a48c6e71217f1b361e1f8