Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2024, 00:12
Static task
static1
Behavioral task
behavioral1
Sample
b6046f3becd927815c16b035bc2c7636.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b6046f3becd927815c16b035bc2c7636.exe
Resource
win10v2004-20240226-en
General
-
Target
b6046f3becd927815c16b035bc2c7636.exe
-
Size
113KB
-
MD5
b6046f3becd927815c16b035bc2c7636
-
SHA1
5af0243d6575061721143de83d68a844679ce27a
-
SHA256
862679b5c1657dc67c0d0e4810016e23220eca04f3a65c223b6546cded60050c
-
SHA512
9c3d1796c00513a7ddd1142b8cfa5736b383185e8cb8c3257464ec1215944f52e8bc64f864e136fbbb1e4bec73d5a1ba16e24125223aa66c09fbff96f7c6028e
-
SSDEEP
3072:C6LOUpmXnG86kZNz+GHjjcs0NtW2mD54r5ae3eLOUpl:1A3G86uNT5sGz
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Backup = "D:\\Backup.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updates = "D:\\Updates.exe" reg.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 4744 reg.exe 3500 reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3148 b6046f3becd927815c16b035bc2c7636.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3148 wrote to memory of 3088 3148 b6046f3becd927815c16b035bc2c7636.exe 89 PID 3148 wrote to memory of 3088 3148 b6046f3becd927815c16b035bc2c7636.exe 89 PID 3148 wrote to memory of 3088 3148 b6046f3becd927815c16b035bc2c7636.exe 89 PID 3148 wrote to memory of 3276 3148 b6046f3becd927815c16b035bc2c7636.exe 90 PID 3148 wrote to memory of 3276 3148 b6046f3becd927815c16b035bc2c7636.exe 90 PID 3148 wrote to memory of 3276 3148 b6046f3becd927815c16b035bc2c7636.exe 90 PID 3276 wrote to memory of 4744 3276 cmd.exe 93 PID 3276 wrote to memory of 4744 3276 cmd.exe 93 PID 3276 wrote to memory of 4744 3276 cmd.exe 93 PID 3088 wrote to memory of 3500 3088 cmd.exe 94 PID 3088 wrote to memory of 3500 3088 cmd.exe 94 PID 3088 wrote to memory of 3500 3088 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6046f3becd927815c16b035bc2c7636.exe"C:\Users\Admin\AppData\Local\Temp\b6046f3becd927815c16b035bc2c7636.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\cmd.execmd /c reg add HKCU\software\microsoft\windows\currentversion\run /v Updates /t REG_SZ /d D:\Updates.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\reg.exereg add HKCU\software\microsoft\windows\currentversion\run /v Updates /t REG_SZ /d D:\Updates.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:3500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c reg add HKCU\software\microsoft\windows\currentversion\run /v Backup /t REG_SZ /d D:\Backup.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\reg.exereg add HKCU\software\microsoft\windows\currentversion\run /v Backup /t REG_SZ /d D:\Backup.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:4744
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD5b6046f3becd927815c16b035bc2c7636
SHA15af0243d6575061721143de83d68a844679ce27a
SHA256862679b5c1657dc67c0d0e4810016e23220eca04f3a65c223b6546cded60050c
SHA5129c3d1796c00513a7ddd1142b8cfa5736b383185e8cb8c3257464ec1215944f52e8bc64f864e136fbbb1e4bec73d5a1ba16e24125223aa66c09fbff96f7c6028e