Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 05:09
Static task
static1
Behavioral task
behavioral1
Sample
c50e61c7d38f4e13613e98b5c0b6b4a2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c50e61c7d38f4e13613e98b5c0b6b4a2.exe
Resource
win10v2004-20240226-en
General
-
Target
c50e61c7d38f4e13613e98b5c0b6b4a2.exe
-
Size
385KB
-
MD5
c50e61c7d38f4e13613e98b5c0b6b4a2
-
SHA1
31514a58efebe3bbf604ddf250316f307dd66f57
-
SHA256
3b585d6f3ad93dc9f085ffb91dc4d7ef331d416f4948c5850c4535b7d2144209
-
SHA512
1b6ef62ea0b1cc8e0b8359f6e5e5834c8aff92ba1c34b41d13690c1ca95d37ea7c879754c172740ea6420e8cb4659316890c9a3a6ee74ca2e5761f75ec1cda2a
-
SSDEEP
6144:mp2UNSG9uTvFPqbqnQ2D9/n5HvymxNmPbMn9m10tDP82mPA4J7jBeKYzIEIPvB:mZovFQqnQ2BP5HvyDTC04kwkBe38vB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3860 c50e61c7d38f4e13613e98b5c0b6b4a2.exe -
Executes dropped EXE 1 IoCs
pid Process 3860 c50e61c7d38f4e13613e98b5c0b6b4a2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 11 pastebin.com 10 pastebin.com -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2468 c50e61c7d38f4e13613e98b5c0b6b4a2.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2468 c50e61c7d38f4e13613e98b5c0b6b4a2.exe 3860 c50e61c7d38f4e13613e98b5c0b6b4a2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2468 wrote to memory of 3860 2468 c50e61c7d38f4e13613e98b5c0b6b4a2.exe 94 PID 2468 wrote to memory of 3860 2468 c50e61c7d38f4e13613e98b5c0b6b4a2.exe 94 PID 2468 wrote to memory of 3860 2468 c50e61c7d38f4e13613e98b5c0b6b4a2.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\c50e61c7d38f4e13613e98b5c0b6b4a2.exe"C:\Users\Admin\AppData\Local\Temp\c50e61c7d38f4e13613e98b5c0b6b4a2.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\c50e61c7d38f4e13613e98b5c0b6b4a2.exeC:\Users\Admin\AppData\Local\Temp\c50e61c7d38f4e13613e98b5c0b6b4a2.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=744 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:81⤵PID:3136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD5fc431435a46079f46fc745aca366d5cc
SHA1c019986a5ca439c3b1a9754dfd3ca7af6863d782
SHA25678b0c1f0dcea4cd4abd5a1611ced2aaaa05ff6cd2adbbfd06094abbd442b9749
SHA5124787c01f4bb25669dfc4a609ff3c8152e71a18c4a8c6014ff3cc423e5c55741269cae55b3b65dd9440a0f33a59779098ca9241b4dab37c859a1453201d02ef2f