Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
165s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 10:33
Static task
static1
Behavioral task
behavioral1
Sample
c05f92828f414facf0b44887e1eef05d.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c05f92828f414facf0b44887e1eef05d.exe
Resource
win10v2004-20240226-en
General
-
Target
c05f92828f414facf0b44887e1eef05d.exe
-
Size
771KB
-
MD5
c05f92828f414facf0b44887e1eef05d
-
SHA1
e1dda6ca6919bf862731146fe74a05abaefb78e9
-
SHA256
02ca4e9be871b6bd21136efc96809374a2dbf7422072d8ec5c477b9cb7c3661a
-
SHA512
d346a5afc8dda45a18236f5d8d8fa1fc0673070a9d672cdac142b53c3c70c8c92acfb91c05d819caa0bc06c86b71d0be8ab702d4ce6a6a8012e8e3f88fb084f5
-
SSDEEP
24576:FeBLDQQD2VXSRjUCrsb10hJaothZ2/T6FBBB:y/ICrG/ofT
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2052 c05f92828f414facf0b44887e1eef05d.exe -
Executes dropped EXE 1 IoCs
pid Process 2052 c05f92828f414facf0b44887e1eef05d.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 41 pastebin.com 42 pastebin.com -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4708 c05f92828f414facf0b44887e1eef05d.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4708 c05f92828f414facf0b44887e1eef05d.exe 2052 c05f92828f414facf0b44887e1eef05d.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4708 wrote to memory of 2052 4708 c05f92828f414facf0b44887e1eef05d.exe 97 PID 4708 wrote to memory of 2052 4708 c05f92828f414facf0b44887e1eef05d.exe 97 PID 4708 wrote to memory of 2052 4708 c05f92828f414facf0b44887e1eef05d.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\c05f92828f414facf0b44887e1eef05d.exe"C:\Users\Admin\AppData\Local\Temp\c05f92828f414facf0b44887e1eef05d.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\c05f92828f414facf0b44887e1eef05d.exeC:\Users\Admin\AppData\Local\Temp\c05f92828f414facf0b44887e1eef05d.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵PID:2572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
771KB
MD50016cfc2977bae7e17d8ee35569349d7
SHA14574ebc12234d5b983dfb87c709826e7085fa032
SHA25616c62fb5eefb1ae553a69e7f79a37096e2c9dcd2e0434e88c9eee227b56341fb
SHA5120482a64c029d2997973d0d7d55c59bbf3e347f80f2c99316bcf981d672c8378bfdf764781f1090784abe554d7502dc22882091b7cce79530817ac627c7eb97ce