Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 21:09
Static task
static1
Behavioral task
behavioral1
Sample
c9a03a5585c527f53c3896a494da9a7a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c9a03a5585c527f53c3896a494da9a7a.exe
Resource
win10v2004-20240226-en
General
-
Target
c9a03a5585c527f53c3896a494da9a7a.exe
-
Size
1000KB
-
MD5
c9a03a5585c527f53c3896a494da9a7a
-
SHA1
d67b21d86bb1a1a158133fa8b72d5346e59d08fd
-
SHA256
40e1b2179a2a33b3dd81164a3d11d29d3b00f76f060acae151233dfcc45db3d8
-
SHA512
2757abf60dd40623dd252ecc26c9b07412e9c6bcd131db9ef4f6e90c93a8b1f85b44fceb3d89a4ae93d04947d7e8543a107f649cc4d814d0667509eed2d54b16
-
SSDEEP
24576:S9pnisPF1SOnZR8aQ2Y+PGAvFA1B+5vMiqt0gj2ed:UiYn78anFKqOL
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 220 c9a03a5585c527f53c3896a494da9a7a.exe -
Executes dropped EXE 1 IoCs
pid Process 220 c9a03a5585c527f53c3896a494da9a7a.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 14 pastebin.com 16 pastebin.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 220 c9a03a5585c527f53c3896a494da9a7a.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4020 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 220 c9a03a5585c527f53c3896a494da9a7a.exe 220 c9a03a5585c527f53c3896a494da9a7a.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2560 c9a03a5585c527f53c3896a494da9a7a.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2560 c9a03a5585c527f53c3896a494da9a7a.exe 220 c9a03a5585c527f53c3896a494da9a7a.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2560 wrote to memory of 220 2560 c9a03a5585c527f53c3896a494da9a7a.exe 89 PID 2560 wrote to memory of 220 2560 c9a03a5585c527f53c3896a494da9a7a.exe 89 PID 2560 wrote to memory of 220 2560 c9a03a5585c527f53c3896a494da9a7a.exe 89 PID 220 wrote to memory of 4020 220 c9a03a5585c527f53c3896a494da9a7a.exe 93 PID 220 wrote to memory of 4020 220 c9a03a5585c527f53c3896a494da9a7a.exe 93 PID 220 wrote to memory of 4020 220 c9a03a5585c527f53c3896a494da9a7a.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9a03a5585c527f53c3896a494da9a7a.exe"C:\Users\Admin\AppData\Local\Temp\c9a03a5585c527f53c3896a494da9a7a.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\c9a03a5585c527f53c3896a494da9a7a.exeC:\Users\Admin\AppData\Local\Temp\c9a03a5585c527f53c3896a494da9a7a.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c9a03a5585c527f53c3896a494da9a7a.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:4020
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1000KB
MD536f631e232f6a56b3ed30b75661cdbe0
SHA1a6a5cb177ccc1c7cc31c273901806d7036e66349
SHA256a9c197afafa4899040f6683cca93559d4bcbe44b1f6110d88487db4b0ba8d62f
SHA512c5fb0e88f36966436a552e59194ca3b81e0b4eefa3dd3fed28b116f9484fd8a0f6ca2cc9770976892a3b48df82f875b1e50a9f711914cd97dd1dd991cbd4e3a9