Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2024, 12:14
Static task
static1
Behavioral task
behavioral1
Sample
b7607e14bf76f77913e26d28645aebc4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b7607e14bf76f77913e26d28645aebc4.exe
Resource
win10v2004-20240226-en
General
-
Target
b7607e14bf76f77913e26d28645aebc4.exe
-
Size
241KB
-
MD5
b7607e14bf76f77913e26d28645aebc4
-
SHA1
e2298267fd6e3281df1ab5db933c015a166d11d9
-
SHA256
e9d3661cea102b1ef6c0c9d0a34f1cf8b524d002a046a7ae8a51eec0293f0065
-
SHA512
fb8f8fb352fb12a4894ae514769bafbd14e69323da917ac3fe9238375fb48a8563588f5d898ebcf8b8c139e555c5c8c80771a0dd24942bcbf8990b2e4000eef3
-
SSDEEP
6144:0a4MgkRF0CGtYpbeCXf8oOn5kxY/FFpnnDG2niTHsiZ1cMfMCc1zTdB0zJ:0a4MjReCGtYpbt0o05iY/FFBDjnmHfcu
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4208 b7607e14bf76f77913e26d28645aebc4.exe -
Executes dropped EXE 1 IoCs
pid Process 4208 b7607e14bf76f77913e26d28645aebc4.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 19 pastebin.com 21 pastebin.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4208 b7607e14bf76f77913e26d28645aebc4.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3388 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4208 b7607e14bf76f77913e26d28645aebc4.exe 4208 b7607e14bf76f77913e26d28645aebc4.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2792 b7607e14bf76f77913e26d28645aebc4.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2792 b7607e14bf76f77913e26d28645aebc4.exe 4208 b7607e14bf76f77913e26d28645aebc4.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2792 wrote to memory of 4208 2792 b7607e14bf76f77913e26d28645aebc4.exe 87 PID 2792 wrote to memory of 4208 2792 b7607e14bf76f77913e26d28645aebc4.exe 87 PID 2792 wrote to memory of 4208 2792 b7607e14bf76f77913e26d28645aebc4.exe 87 PID 4208 wrote to memory of 3388 4208 b7607e14bf76f77913e26d28645aebc4.exe 90 PID 4208 wrote to memory of 3388 4208 b7607e14bf76f77913e26d28645aebc4.exe 90 PID 4208 wrote to memory of 3388 4208 b7607e14bf76f77913e26d28645aebc4.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7607e14bf76f77913e26d28645aebc4.exe"C:\Users\Admin\AppData\Local\Temp\b7607e14bf76f77913e26d28645aebc4.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\b7607e14bf76f77913e26d28645aebc4.exeC:\Users\Admin\AppData\Local\Temp\b7607e14bf76f77913e26d28645aebc4.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\b7607e14bf76f77913e26d28645aebc4.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:3388
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
241KB
MD5a3a52e82d4a8bdcc09c517c061e63279
SHA1448d457dafd9defaa445d98cb07882aa74ecd639
SHA2561042bdf3e6506087f738c7ea8b7cb74d8569cbe14ca86de62cc88d440e4959ba
SHA512adcc1ac336d9bad6e77d7d52dff23acf767038f417d0b00c2beb5cc3979196067235e46dd3cb69b9f989b644afd5461012511100ede91d0538728e07817d590c