Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 23:06
Static task
static1
Behavioral task
behavioral1
Sample
bf321d8245b2f2857d8eb7f377b73121.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
bf321d8245b2f2857d8eb7f377b73121.exe
Resource
win10v2004-20240226-en
General
-
Target
bf321d8245b2f2857d8eb7f377b73121.exe
-
Size
907KB
-
MD5
bf321d8245b2f2857d8eb7f377b73121
-
SHA1
d86c410f30a97b7c19f9bf24f0d21ae8281d60fb
-
SHA256
b5f619e386b234071b573e5d785a7f37bd25c6f8bab21b181909410a4b62ad02
-
SHA512
f513028bbf66150d3df372af5c2f1d0b96cf29bb884dc2272d8f1d00a2c2e403f1e7f7ea1a1c9f98a0a48a1c6165db136bc9f0b21a15184f54836833661a8295
-
SSDEEP
24576:CDModKoH4TkE/Lr9uVBBQt58am/i4cba/ZS1:CUZ9GWS9PcbgS
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4472 bf321d8245b2f2857d8eb7f377b73121.exe -
Executes dropped EXE 1 IoCs
pid Process 4472 bf321d8245b2f2857d8eb7f377b73121.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 pastebin.com 10 pastebin.com -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3556 bf321d8245b2f2857d8eb7f377b73121.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3556 bf321d8245b2f2857d8eb7f377b73121.exe 4472 bf321d8245b2f2857d8eb7f377b73121.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3556 wrote to memory of 4472 3556 bf321d8245b2f2857d8eb7f377b73121.exe 90 PID 3556 wrote to memory of 4472 3556 bf321d8245b2f2857d8eb7f377b73121.exe 90 PID 3556 wrote to memory of 4472 3556 bf321d8245b2f2857d8eb7f377b73121.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf321d8245b2f2857d8eb7f377b73121.exe"C:\Users\Admin\AppData\Local\Temp\bf321d8245b2f2857d8eb7f377b73121.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Users\Admin\AppData\Local\Temp\bf321d8245b2f2857d8eb7f377b73121.exeC:\Users\Admin\AppData\Local\Temp\bf321d8245b2f2857d8eb7f377b73121.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
907KB
MD5b71fa71841db3f153306358a5fcb529c
SHA1632a25bfbe5203595339c9b8b3b5bc3d13867ac6
SHA25622ebb7500e5dc54701ccce1a5f15871934f5789e01c6ce8e337e9db0a736b26b
SHA512e14786beb3438cf505a45f1064db564ecf7dc4f8f1dadf8de75989dcf8f8b9ff828555f59fd94f42df29eb0b6cfdb55a73ec88ec8421ad21e5561e994c6b45fd