Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2024, 10:50
Static task
static1
Behavioral task
behavioral1
Sample
d5ed4a3a224d5d11c4e76addbe7521b6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d5ed4a3a224d5d11c4e76addbe7521b6.exe
Resource
win10v2004-20231215-en
General
-
Target
d5ed4a3a224d5d11c4e76addbe7521b6.exe
-
Size
506KB
-
MD5
d5ed4a3a224d5d11c4e76addbe7521b6
-
SHA1
d80e383b1d3be309747192a78e8fcb40633516de
-
SHA256
08618c093dd700ad82e25951f939f20760a3de7538f2c102e71bb33e0038c465
-
SHA512
77512ac60bfd0ab0b1c681482b437a48cb5078406fba8f6f4cc8717a95a88738eea0d8571f901d0ed1c126718783a6300f4f5883e458b2ddd6c22c34209627e0
-
SSDEEP
6144:/LFumn+U1yFVeBjSU5jpL0C2Y+qOk8rE/8nBr2kYwl5R7rOmzg7xK8dyq7m363tx:Bu2+UhSCL0CL8QUcBqRnpExpyqs5s58W
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4692 d5ed4a3a224d5d11c4e76addbe7521b6.exe -
Executes dropped EXE 1 IoCs
pid Process 4692 d5ed4a3a224d5d11c4e76addbe7521b6.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 pastebin.com 14 pastebin.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4692 d5ed4a3a224d5d11c4e76addbe7521b6.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1616 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4692 d5ed4a3a224d5d11c4e76addbe7521b6.exe 4692 d5ed4a3a224d5d11c4e76addbe7521b6.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4492 d5ed4a3a224d5d11c4e76addbe7521b6.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4492 d5ed4a3a224d5d11c4e76addbe7521b6.exe 4692 d5ed4a3a224d5d11c4e76addbe7521b6.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4492 wrote to memory of 4692 4492 d5ed4a3a224d5d11c4e76addbe7521b6.exe 87 PID 4492 wrote to memory of 4692 4492 d5ed4a3a224d5d11c4e76addbe7521b6.exe 87 PID 4492 wrote to memory of 4692 4492 d5ed4a3a224d5d11c4e76addbe7521b6.exe 87 PID 4692 wrote to memory of 1616 4692 d5ed4a3a224d5d11c4e76addbe7521b6.exe 88 PID 4692 wrote to memory of 1616 4692 d5ed4a3a224d5d11c4e76addbe7521b6.exe 88 PID 4692 wrote to memory of 1616 4692 d5ed4a3a224d5d11c4e76addbe7521b6.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5ed4a3a224d5d11c4e76addbe7521b6.exe"C:\Users\Admin\AppData\Local\Temp\d5ed4a3a224d5d11c4e76addbe7521b6.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\d5ed4a3a224d5d11c4e76addbe7521b6.exeC:\Users\Admin\AppData\Local\Temp\d5ed4a3a224d5d11c4e76addbe7521b6.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\d5ed4a3a224d5d11c4e76addbe7521b6.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:1616
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
506KB
MD50c9c8da6b1ebaa14608ae2d630801b83
SHA13397ee96d5551a3d403f2be9c7021d81dd270ca8
SHA2564f0c8e1ff35764abc89ca64d067ed801b6ddf6f69580990d22a0137c08c2423d
SHA512f10f77560a0505a88314bb8164548775673269d239bace4dd2d0e3288263f17ef57e887f6e06d0f4394b2cacc6f0a5eaa6072d0b722f781ea374824c24403150