Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18/03/2024, 14:11
Behavioral task
behavioral1
Sample
d3b4fd9d6a4c7d1486613465c4d29d2a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d3b4fd9d6a4c7d1486613465c4d29d2a.exe
Resource
win10v2004-20240226-en
General
-
Target
d3b4fd9d6a4c7d1486613465c4d29d2a.exe
-
Size
2.9MB
-
MD5
d3b4fd9d6a4c7d1486613465c4d29d2a
-
SHA1
71c7936be10fb79c4367929755df3081fa738c32
-
SHA256
12c6abb41a4d88349c11abc95b1a51081ade7a51f9fdf0ff5ccf5a959537bb62
-
SHA512
0fe690a202900b6103681fc9c43497dac455ba7aca51d9c6833e368753f07e678276ae24b06652103e761673a3fa71381ddb211868bbcfa31adf84f0429db42e
-
SSDEEP
49152:LP7EHY/0x4MrSguG+EaeUTbk3/prZ/Dnl1+1+MBRpo6oh:77iYsCMr0GCcprZ/+1+M7arh
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 112 d3b4fd9d6a4c7d1486613465c4d29d2a.exe -
Executes dropped EXE 1 IoCs
pid Process 112 d3b4fd9d6a4c7d1486613465c4d29d2a.exe -
resource yara_rule behavioral2/memory/2444-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x0007000000023263-11.dat upx behavioral2/memory/112-12-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2444 d3b4fd9d6a4c7d1486613465c4d29d2a.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2444 d3b4fd9d6a4c7d1486613465c4d29d2a.exe 112 d3b4fd9d6a4c7d1486613465c4d29d2a.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2444 wrote to memory of 112 2444 d3b4fd9d6a4c7d1486613465c4d29d2a.exe 88 PID 2444 wrote to memory of 112 2444 d3b4fd9d6a4c7d1486613465c4d29d2a.exe 88 PID 2444 wrote to memory of 112 2444 d3b4fd9d6a4c7d1486613465c4d29d2a.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3b4fd9d6a4c7d1486613465c4d29d2a.exe"C:\Users\Admin\AppData\Local\Temp\d3b4fd9d6a4c7d1486613465c4d29d2a.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\d3b4fd9d6a4c7d1486613465c4d29d2a.exeC:\Users\Admin\AppData\Local\Temp\d3b4fd9d6a4c7d1486613465c4d29d2a.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:112
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
448KB
MD5d353d61d0a0e988434fbd000982162f3
SHA1257863836c11b161eeb4686fd079cc55afcb3b50
SHA256ab1621f99c379c2846bac29451e494ebe3e27e2d4d0d88e2e051a7c6eb1306de
SHA5127c42911f51d83e1e8b31c2b77e8e27209f5aa04ca9662498b6de25fe7017c2020adea5cbc1e64dd9c5c189672a0f06fa7b20005688c21d26f88c223cadfed590