Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 07:55
Static task
static1
Behavioral task
behavioral1
Sample
c2d98bd69ffad7dad19a57f8ae74bfd7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c2d98bd69ffad7dad19a57f8ae74bfd7.exe
Resource
win10v2004-20240226-en
General
-
Target
c2d98bd69ffad7dad19a57f8ae74bfd7.exe
-
Size
907KB
-
MD5
c2d98bd69ffad7dad19a57f8ae74bfd7
-
SHA1
32335c12c61c779f2f10d766c03bf45873983655
-
SHA256
f61a5d7fda536edd2e42d8b3ce312ae40f7b6601c024734401e857ed7a80bae0
-
SHA512
e69bca1e5ce95ba63bf3b717effe9f03c0be308a21ac8b850613e151f05cd02620aec861e41a0b8da0f8ca788602f5a74d94d56097397a71b3106a312211ea76
-
SSDEEP
12288:pycG0+muTTRWAKtAhmhPQlhgxyUre2E7wV9ZXpsA7bZIdWjVDa/ZS1:p20WfRWGEPQlzUC2E81KA7lIdUa/ZS1
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4444 c2d98bd69ffad7dad19a57f8ae74bfd7.exe -
Executes dropped EXE 1 IoCs
pid Process 4444 c2d98bd69ffad7dad19a57f8ae74bfd7.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 7 pastebin.com 8 pastebin.com -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1608 c2d98bd69ffad7dad19a57f8ae74bfd7.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1608 c2d98bd69ffad7dad19a57f8ae74bfd7.exe 4444 c2d98bd69ffad7dad19a57f8ae74bfd7.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1608 wrote to memory of 4444 1608 c2d98bd69ffad7dad19a57f8ae74bfd7.exe 91 PID 1608 wrote to memory of 4444 1608 c2d98bd69ffad7dad19a57f8ae74bfd7.exe 91 PID 1608 wrote to memory of 4444 1608 c2d98bd69ffad7dad19a57f8ae74bfd7.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2d98bd69ffad7dad19a57f8ae74bfd7.exe"C:\Users\Admin\AppData\Local\Temp\c2d98bd69ffad7dad19a57f8ae74bfd7.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\c2d98bd69ffad7dad19a57f8ae74bfd7.exeC:\Users\Admin\AppData\Local\Temp\c2d98bd69ffad7dad19a57f8ae74bfd7.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
907KB
MD561f519970456d3b055bede1969a0b5e4
SHA10b8bfff722d59f8c2e14d5f4f2d7cd39e0ab6a66
SHA256c898a31be8b40b00928a2f43890605c61149b2c67cc1767315bd494753d181d2
SHA5120eb2439c40e45aa983459cb6b5ec8188544cfe1fc3880f94c35fc6ebb93ef4c150302a37ebcee24a9b229db71ab94d16283f8e9e1ec8ce91f8e62661599231ea