Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/03/2024, 18:51
Behavioral task
behavioral1
Sample
0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4.exe
Resource
win11-20240221-en
General
-
Target
0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4.exe
-
Size
6.8MB
-
MD5
0721b1d0c9c68c18116273f2c293ff21
-
SHA1
dac53205b4ba718542138d90eb56f1641f5807b8
-
SHA256
0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4
-
SHA512
012ee21fa04e7e361d4565ba81cc8ba256fb48a75cc93c5c6ea1f77f1e69adc3a5c14275dfe358e72b6f41dd67d174c0bbb4ca26d39f9c08168ccbb9d06d3ba9
-
SSDEEP
49152:k92mic7iMnbPvRUAm+ugRkqjR7Q8TOc5KubExvCsNGEgveIXB4IuBNT/IeswF69B:BmP7i+Rf0es5u2BNTAcSE8wIX
Malware Config
Signatures
-
StealthWorker
StealthWorker is golang-based brute force malware.
-
Contacts a large (3570) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3288 wrote to memory of 4596 3288 0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4.exe 79 PID 3288 wrote to memory of 4596 3288 0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4.exe 79 PID 3288 wrote to memory of 4596 3288 0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4.exe"C:\Users\Admin\AppData\Local\Temp\0c3ee3977deb2ab25d67d6b346b7c96497c4ff18b76678ca990b8493f23248a4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\cmd.execmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat2⤵
- Drops startup file
PID:4596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
323B
MD5e261f419ce27bed18eab2b80657adaba
SHA1ebf5f7ced30ddeabeb5e8f9db7f418101444c7ae
SHA2565333673f7f6f91a2473a4390011f55773173480f49b7f3d2c40c9d58031460aa
SHA51269255304f43c383b3f614f9758c0138fec5d4b5a5cf02258e81f0e1e47b6b97ada77b2d9a409300c2f8ab14c1f1c421a8be55b2d110c55e6452014b486095175