Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2024, 05:57
Behavioral task
behavioral1
Sample
baaff9ad41f17f00b577a41281fe71e1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
baaff9ad41f17f00b577a41281fe71e1.exe
Resource
win10v2004-20240226-en
General
-
Target
baaff9ad41f17f00b577a41281fe71e1.exe
-
Size
2.9MB
-
MD5
baaff9ad41f17f00b577a41281fe71e1
-
SHA1
d32348dd24887bea85ad3c344699740ef685d886
-
SHA256
a77f42dfa14c72c7981820ced72aff9d28972e88b3f62dbc2b6e914187ce4a2d
-
SHA512
2a80e00927480e950212d41e4565afaef1366e58f01211750ace88893f55f8796c7e1432e9595879fed58d13debf6e366fe3083389b311ce00de96c141b15a84
-
SSDEEP
49152:1WU/cTgeQtQgUqEHX9wTNXqBUZ9zH0L02AKUXjDb/kqgn8EMOGj:Eqc0eQjUX9q5qGZ9zU4Trz8R8us
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3332 baaff9ad41f17f00b577a41281fe71e1.exe -
Executes dropped EXE 1 IoCs
pid Process 3332 baaff9ad41f17f00b577a41281fe71e1.exe -
resource yara_rule behavioral2/memory/624-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x000300000001e9a0-11.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 624 baaff9ad41f17f00b577a41281fe71e1.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 624 baaff9ad41f17f00b577a41281fe71e1.exe 3332 baaff9ad41f17f00b577a41281fe71e1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 624 wrote to memory of 3332 624 baaff9ad41f17f00b577a41281fe71e1.exe 89 PID 624 wrote to memory of 3332 624 baaff9ad41f17f00b577a41281fe71e1.exe 89 PID 624 wrote to memory of 3332 624 baaff9ad41f17f00b577a41281fe71e1.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\baaff9ad41f17f00b577a41281fe71e1.exe"C:\Users\Admin\AppData\Local\Temp\baaff9ad41f17f00b577a41281fe71e1.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\baaff9ad41f17f00b577a41281fe71e1.exeC:\Users\Admin\AppData\Local\Temp\baaff9ad41f17f00b577a41281fe71e1.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3332
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
862KB
MD549961cfa16d7d9218851a0ea9294b294
SHA17962017809c5decf3ff0109236d970ebb26542db
SHA256801163a907a1e1b8d409cd8e77c9d0fe6ee3c498fb49879408ab99dfc7d1051f
SHA51272fe1bd0fa884ee93adbf11ed2f5bb42c358971da2f6eca6db4b08eb17bad29db67f0695c9dbaaf59acbf965b9a5d8c09020aefe7b6dfbbc07d0d29795b55784