Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2024, 09:44
Static task
static1
Behavioral task
behavioral1
Sample
d5cdbd89ff6d1620095878aa8f2628ef.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d5cdbd89ff6d1620095878aa8f2628ef.exe
Resource
win10v2004-20240226-en
General
-
Target
d5cdbd89ff6d1620095878aa8f2628ef.exe
-
Size
385KB
-
MD5
d5cdbd89ff6d1620095878aa8f2628ef
-
SHA1
5872ec422909b9a4f3e9d8ba953e37cf1faf2322
-
SHA256
45001469f7f6ae681eb6627f55f85d8bc61246f8320df8600b884fe2f3e41be6
-
SHA512
fa6c5675260b0aab993bbadcba588e6e1fb55734a0ea20ecf429897483a9a985789821060a093eda7cc95c80dc4a77717e0fd396656a02dc727d6ee7cb21d6f4
-
SSDEEP
6144:kuwMBCCOIgY1zlPFEZy9TpAjXNW/ubVGE1Oz7BO8cd3Mi3lPyB:kucYh3EGVAUUVGLz1cd3Mi3oB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1884 d5cdbd89ff6d1620095878aa8f2628ef.exe -
Executes dropped EXE 1 IoCs
pid Process 1884 d5cdbd89ff6d1620095878aa8f2628ef.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 10 pastebin.com 22 pastebin.com -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 720 d5cdbd89ff6d1620095878aa8f2628ef.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 720 d5cdbd89ff6d1620095878aa8f2628ef.exe 1884 d5cdbd89ff6d1620095878aa8f2628ef.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 720 wrote to memory of 1884 720 d5cdbd89ff6d1620095878aa8f2628ef.exe 88 PID 720 wrote to memory of 1884 720 d5cdbd89ff6d1620095878aa8f2628ef.exe 88 PID 720 wrote to memory of 1884 720 d5cdbd89ff6d1620095878aa8f2628ef.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5cdbd89ff6d1620095878aa8f2628ef.exe"C:\Users\Admin\AppData\Local\Temp\d5cdbd89ff6d1620095878aa8f2628ef.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Users\Admin\AppData\Local\Temp\d5cdbd89ff6d1620095878aa8f2628ef.exeC:\Users\Admin\AppData\Local\Temp\d5cdbd89ff6d1620095878aa8f2628ef.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD572976f5c8e017cc819f51ca093ee9390
SHA1fbf3dd09ff27a2f63e58579ea84d8fa8d73f1c25
SHA256657cc1c3534231e53c245e4b3255f41b8c7cf1201a3bb2085f5322cff82cf387
SHA512db127e42646cce474118179a74f08972fce100b775e5eb944cfdc0e551adc430121210e4bf83fddadfb04972ccbe1b3790e8ca83ed2f05bddfb1145285dd205a