Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 23:31
Static task
static1
Behavioral task
behavioral1
Sample
bf3e2b7e1d058aa6de1ed557e292814d.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
bf3e2b7e1d058aa6de1ed557e292814d.exe
Resource
win10v2004-20240226-en
General
-
Target
bf3e2b7e1d058aa6de1ed557e292814d.exe
-
Size
208KB
-
MD5
bf3e2b7e1d058aa6de1ed557e292814d
-
SHA1
4dd55c8113abba9dfdc2374078f9790866ed6b64
-
SHA256
1a432f2085120f3804f9bf787187169e53084500636fe1bac92f092e15f66176
-
SHA512
1e56084deef7731471705e63a14f2f24d5432a50cd33977ec91c2a7079fcf420d248c2d2f2c2bfb6afb76b3ea4d1a51af319c27415d65a7c701f5f984c9393ae
-
SSDEEP
6144:ml0n6augQyP0JEO8q9B0h3X0uNVbXNADFS5uKA/TIB:xn6auC8Jl8qMhnxVb9ADFS5uzTI
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4368 u.dll 4904 mpress.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings calc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1724 OpenWith.exe 2964 OpenWith.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2924 2088 bf3e2b7e1d058aa6de1ed557e292814d.exe 90 PID 2088 wrote to memory of 2924 2088 bf3e2b7e1d058aa6de1ed557e292814d.exe 90 PID 2088 wrote to memory of 2924 2088 bf3e2b7e1d058aa6de1ed557e292814d.exe 90 PID 2924 wrote to memory of 4368 2924 cmd.exe 91 PID 2924 wrote to memory of 4368 2924 cmd.exe 91 PID 2924 wrote to memory of 4368 2924 cmd.exe 91 PID 4368 wrote to memory of 4904 4368 u.dll 93 PID 4368 wrote to memory of 4904 4368 u.dll 93 PID 4368 wrote to memory of 4904 4368 u.dll 93 PID 2924 wrote to memory of 8 2924 cmd.exe 96 PID 2924 wrote to memory of 8 2924 cmd.exe 96 PID 2924 wrote to memory of 8 2924 cmd.exe 96 PID 2924 wrote to memory of 3268 2924 cmd.exe 99 PID 2924 wrote to memory of 3268 2924 cmd.exe 99 PID 2924 wrote to memory of 3268 2924 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf3e2b7e1d058aa6de1ed557e292814d.exe"C:\Users\Admin\AppData\Local\Temp\bf3e2b7e1d058aa6de1ed557e292814d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3A88.tmp\vir.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save bf3e2b7e1d058aa6de1ed557e292814d.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\3B63.tmp\mpress.exe"C:\Users\Admin\AppData\Local\Temp\3B63.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe3B64.tmp"4⤵
- Executes dropped EXE
PID:4904
-
-
-
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵
- Modifies registry class
PID:8
-
-
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵
- Modifies registry class
PID:3268
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1724
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2964
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c967404114b059eff8c96c064cc4cc97
SHA1a193f6b4311ce38ea87f3c3999ff10f11d1e0659
SHA256aa583180492d35d6bbfabe582c263a3c682ab628cdddd8861ab765caf190e148
SHA512338cdfc682b23bc2ef2e6c3284e183160c2b3aa9ac4d15e8eab67c1c0c1bdfed871905df2161ebd8f7ff06cf4f0a065b76d7defb3239258b1de4a0707a1edaa6
-
Filesize
100KB
MD5e42b81b9636152c78ba480c1c47d3c7f
SHA166a2fca3925428ee91ad9df5b76b90b34d28e0f8
SHA2567c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2
SHA5124b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e
-
Filesize
41KB
MD571ce3645ecf4a753408f77c5a8bad638
SHA19b8252af055414bb69e5ce0f1826066c27c0d63e
SHA25675e8f3a8df737002f0d4be1064a96490ca1c56148ea69781abaaa6299eff9b21
SHA51279a8d69275afc627a9102e62f05d3867ef013a11c174dd4981fe31494d3f6e127032fdcc92fae99aaac2a485a6acdf0d7fdf6df120c53a024740ff1786f51c6e
-
Filesize
741KB
MD5cd0bf0038de3a347240791f669197da5
SHA10f074a6481b0ca7e31c3c3eef5020dfccef5af8d
SHA2569a7cb94d3408a4406c4f76f58b5580aa8e916979f5d0a4b5f36d0f02e8119fb4
SHA512d10c393a98b3e5139e31132e93b4efbc046c814c1222e8b768004cc7df45f2ec8e9e0417efdd7c216ba5a6946aa3b72af2f13ad75a27f1edf888ef7036921448
-
Filesize
207KB
MD56a49480e106e267a9a4697e982b6c245
SHA121aba0ff157fdd0f4ab31ccb9e709a6cbbc13035
SHA256da8d430bdc11975821ac3b5c950db54d821fbcc8c5cdb77758dd5e6bbae768b3
SHA512a8ee4b2b7b06832ae842faba953919fc6e8dadd9c9a42298ab1aa301b4d8e5e40b9350411cdc3bc861fe6735ce52ce1448a21a0a7b79ac9f31838a8518b94dd9
-
Filesize
700KB
MD53c9568b0d86a865f9f73d9c0967cfdad
SHA13270df3e0e600f4df2c3cbc384837693a8a3a83e
SHA256c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6
SHA512bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f
-
Filesize
1KB
MD5585482c70b7868d36ec7e7ef19da8dd3
SHA14939b633661c2c1e003a7afb54adec3e3a616ef6
SHA256c6b7c9c3551fc0744f3d4dc439b92a5395bf79858d755e3e4e586a17c6ea8560
SHA5128d38a91c821c1103efcf24dd84e5a9bd9ba724b4b7cf4d04efae1fc574cab3f181701b040725e52a6a19dea80aeaf4f3f46ffeeac1a70d0be5a903e041b2169f