Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2024, 14:37
Static task
static1
Behavioral task
behavioral1
Sample
b8f7f1c3cb54dd98956cfade0d5b02a6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b8f7f1c3cb54dd98956cfade0d5b02a6.exe
Resource
win10v2004-20240226-en
General
-
Target
b8f7f1c3cb54dd98956cfade0d5b02a6.exe
-
Size
336KB
-
MD5
b8f7f1c3cb54dd98956cfade0d5b02a6
-
SHA1
802cedcb7f89c6df1dc1bd36ace24c66474cd0ab
-
SHA256
26a771ec1b7159b3009984f59822620ba5bcd2a675e290a1334ff3a2536ae5ea
-
SHA512
2f9f862f39bb8a1cf87f44a848bb2e8b12f56215643e3643b6e08278023c9195356dd030f2ddbb304149887958925e5b1fb8d0f2a8ff51dd2b0ee8f84d14b0ae
-
SSDEEP
6144:ENr04w8GJEotOrtacrFhqxvtiIZTYix3BuYBIbgmOTd3w:ENr04rnrtacrnnOTYi3B+gmO53
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1360 X -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1360 X 1360 X -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 116 b8f7f1c3cb54dd98956cfade0d5b02a6.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3360 Explorer.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 116 wrote to memory of 1360 116 b8f7f1c3cb54dd98956cfade0d5b02a6.exe 99 PID 116 wrote to memory of 1360 116 b8f7f1c3cb54dd98956cfade0d5b02a6.exe 99 PID 1360 wrote to memory of 3360 1360 X 57
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\b8f7f1c3cb54dd98956cfade0d5b02a6.exe"C:\Users\Admin\AppData\Local\Temp\b8f7f1c3cb54dd98956cfade0d5b02a6.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Users\Admin\AppData\Local\9fc7b2d2\X193.105.154.210:803⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1360
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3688 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵PID:748
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5686b479b0ee164cf1744a8be359ebb7d
SHA18615e8f967276a85110b198d575982a958581a07
SHA256fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b
SHA5127ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64