Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 03:28
Static task
static1
Behavioral task
behavioral1
Sample
c79292195039202bf56f39b462f5b017.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c79292195039202bf56f39b462f5b017.exe
Resource
win10v2004-20240226-en
General
-
Target
c79292195039202bf56f39b462f5b017.exe
-
Size
385KB
-
MD5
c79292195039202bf56f39b462f5b017
-
SHA1
daef4e0a17a7bca2125be42cc7e7b9f403391086
-
SHA256
6c6584bc84e6d9aa95a6caba991ce086e07a35f5c885598d907501f7dee9eb91
-
SHA512
2d62b52e0759af99ef2789020ba908bae97796707c10b37e2c8fdfdf620cd036c96b2a1f01f590fffee3dc71bd34f6201d97ec6259ee322db1f922c150768853
-
SSDEEP
6144:U1OR32NJg3B2w/4+xbeoaMy6KohtoWynJMylGtWcwiCH8CfUajLIEB:U1xNJg3BJ/4odDJboWyJJUelsEB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4888 c79292195039202bf56f39b462f5b017.exe -
Executes dropped EXE 1 IoCs
pid Process 4888 c79292195039202bf56f39b462f5b017.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 16 pastebin.com 17 pastebin.com -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1112 c79292195039202bf56f39b462f5b017.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1112 c79292195039202bf56f39b462f5b017.exe 4888 c79292195039202bf56f39b462f5b017.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1112 wrote to memory of 4888 1112 c79292195039202bf56f39b462f5b017.exe 91 PID 1112 wrote to memory of 4888 1112 c79292195039202bf56f39b462f5b017.exe 91 PID 1112 wrote to memory of 4888 1112 c79292195039202bf56f39b462f5b017.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\c79292195039202bf56f39b462f5b017.exe"C:\Users\Admin\AppData\Local\Temp\c79292195039202bf56f39b462f5b017.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\c79292195039202bf56f39b462f5b017.exeC:\Users\Admin\AppData\Local\Temp\c79292195039202bf56f39b462f5b017.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4888
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD5a1b7b4682efc92f813caa2c7bfad4736
SHA1b905c8ebd4fa6522cc165328fc721df10ca58a9b
SHA256e69b17f4825c9df0af83ffd2228642b36660f5cff8e93a0424ac1825033a6be7
SHA512aed84067bbb4e5371166af82ed553fed08a692bed7d10cc0fa645b8819f1ccdb958429b9f1b988dd5f6d1b23b48068ced1aa6a6a3bd1e6471cc83dcfb9d9719a