Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 11:07
Behavioral task
behavioral1
Sample
c878362fcdc7b9ecc1e03207f2d27e71.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c878362fcdc7b9ecc1e03207f2d27e71.exe
Resource
win10v2004-20240226-en
General
-
Target
c878362fcdc7b9ecc1e03207f2d27e71.exe
-
Size
11KB
-
MD5
c878362fcdc7b9ecc1e03207f2d27e71
-
SHA1
d0e14be590be6428fbea76144a0201eff7bd2b17
-
SHA256
0e84afcd788a721f9584597013f6e7c634baafa7dc0e37bee766f7f00083d817
-
SHA512
b4449d0e5b62fe4ecb02801f74fcf9d14758fb493043a26e03a63726d0c47c19eae3542dcfc9dc8ef04626eb2b0b977d6cc14818b06bb18442480ddf24b494d3
-
SSDEEP
192:GjhkFN9teAqlkuxdchqAr+X71vaAXvZgqXYMn3A7VbrE10cp:whknrHikuQe71vfCqXYMnQ7VbgT
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 1768 cmonosk.exe -
resource yara_rule behavioral2/memory/4064-0-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/files/0x0008000000023247-4.dat upx behavioral2/memory/4064-6-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/1768-7-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\cmonos.dll c878362fcdc7b9ecc1e03207f2d27e71.exe File created C:\Windows\SysWOW64\cmonosk.exe c878362fcdc7b9ecc1e03207f2d27e71.exe File opened for modification C:\Windows\SysWOW64\cmonosk.exe c878362fcdc7b9ecc1e03207f2d27e71.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4064 wrote to memory of 1768 4064 c878362fcdc7b9ecc1e03207f2d27e71.exe 97 PID 4064 wrote to memory of 1768 4064 c878362fcdc7b9ecc1e03207f2d27e71.exe 97 PID 4064 wrote to memory of 1768 4064 c878362fcdc7b9ecc1e03207f2d27e71.exe 97 PID 4064 wrote to memory of 556 4064 c878362fcdc7b9ecc1e03207f2d27e71.exe 109 PID 4064 wrote to memory of 556 4064 c878362fcdc7b9ecc1e03207f2d27e71.exe 109 PID 4064 wrote to memory of 556 4064 c878362fcdc7b9ecc1e03207f2d27e71.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\c878362fcdc7b9ecc1e03207f2d27e71.exe"C:\Users\Admin\AppData\Local\Temp\c878362fcdc7b9ecc1e03207f2d27e71.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\cmonosk.exeC:\Windows\system32\cmonosk.exe ˜‰2⤵
- Executes dropped EXE
PID:1768
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\c878362fcdc7b9ecc1e03207f2d27e71.exe.bat2⤵PID:556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:81⤵PID:1800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD561beee8b91cd28777d26e04eb2eb7ef7
SHA10296d00dc451a2eba5c0c1e6257d166791e22ad4
SHA256339c7c5c37a2bdfc1a8e4a054b7b0f65e075fe39233c0dde9df98c8d6a473595
SHA512db2b1e0f055711cf30d294b35580aa36b0ca1a0f608e81ab0fd573786c0d69ed049ad7ffe0ce88e66882d9fc6d48c356f87a28e2d1d5146ef6b6e5e028495105
-
Filesize
11KB
MD5c878362fcdc7b9ecc1e03207f2d27e71
SHA1d0e14be590be6428fbea76144a0201eff7bd2b17
SHA2560e84afcd788a721f9584597013f6e7c634baafa7dc0e37bee766f7f00083d817
SHA512b4449d0e5b62fe4ecb02801f74fcf9d14758fb493043a26e03a63726d0c47c19eae3542dcfc9dc8ef04626eb2b0b977d6cc14818b06bb18442480ddf24b494d3