Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 10:27
Static task
static1
Behavioral task
behavioral1
Sample
c863e36cb0270c9cec1fea46ae6fe0bc.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
c863e36cb0270c9cec1fea46ae6fe0bc.exe
Resource
win10v2004-20240226-en
General
-
Target
c863e36cb0270c9cec1fea46ae6fe0bc.exe
-
Size
385KB
-
MD5
c863e36cb0270c9cec1fea46ae6fe0bc
-
SHA1
7f080700719a8bf56b250875c8153fdec9559d70
-
SHA256
0efe7336e61c0e3fef4f3ec8987700b87444891809a23d714a7f17bf4496ed3f
-
SHA512
20ef6e28519f55112c64457f1d119a3ce0d1e7ad4a72532d30c4625f6ef58f7ade26594e7d71de4d2f7dd2a1211f2a8c747fdf27d674829fa21c30340259a4bd
-
SSDEEP
12288:z3eGjWPefe67m2Fx7YtVDUjYml1Kwrc+FHn9rJB:z39Kefe67Fx74wUmltrZ9tB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4452 c863e36cb0270c9cec1fea46ae6fe0bc.exe -
Executes dropped EXE 1 IoCs
pid Process 4452 c863e36cb0270c9cec1fea46ae6fe0bc.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 22 pastebin.com 23 pastebin.com -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4428 c863e36cb0270c9cec1fea46ae6fe0bc.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4428 c863e36cb0270c9cec1fea46ae6fe0bc.exe 4452 c863e36cb0270c9cec1fea46ae6fe0bc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4428 wrote to memory of 4452 4428 c863e36cb0270c9cec1fea46ae6fe0bc.exe 91 PID 4428 wrote to memory of 4452 4428 c863e36cb0270c9cec1fea46ae6fe0bc.exe 91 PID 4428 wrote to memory of 4452 4428 c863e36cb0270c9cec1fea46ae6fe0bc.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\c863e36cb0270c9cec1fea46ae6fe0bc.exe"C:\Users\Admin\AppData\Local\Temp\c863e36cb0270c9cec1fea46ae6fe0bc.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\c863e36cb0270c9cec1fea46ae6fe0bc.exeC:\Users\Admin\AppData\Local\Temp\c863e36cb0270c9cec1fea46ae6fe0bc.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4452
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD539b16c0a976c90fd6e1cdad4a9f4d2c8
SHA11436107b66eb8060a784d302613f613f591b2f3a
SHA2568fbb0e5fad129fb0efde059a39d0c6ad4d677aa5af47843f4fb6921ebe122a5e
SHA512a8dc53f621e618393c501e34b2a3f6922c36583e71f4454a04a18a3280af5c268332b18c42578adb2e7c6db3f74003b5a8ed234f9d7e5974e34578b427381735