Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2024, 15:54
Static task
static1
Behavioral task
behavioral1
Sample
df8b178699084cd53cec422d5080d46b.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
df8b178699084cd53cec422d5080d46b.exe
Resource
win10v2004-20240226-en
General
-
Target
df8b178699084cd53cec422d5080d46b.exe
-
Size
385KB
-
MD5
df8b178699084cd53cec422d5080d46b
-
SHA1
26ea033f09583c81b94316da38aec1adef8f9d38
-
SHA256
3da2e0cb710d55a0062e25f37e37a4273023374bd6eceb87fee21894d6dcc96e
-
SHA512
87c9c7f23622312cee70f92357d8c980521f844c9222fefc2b323189433594f725ea74c1fafbad0f370ae4c2bda4f9020bb1ef138cef80016de4e8ccdec232ab
-
SSDEEP
6144:oYtfKTRsMo2S4lwpAViUsDVqtuEoF7bfhl1dj2dWnDDnolnGhNxfLHZfB:mVS4epAVWDkno1z1d6dqninGTxfLFB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3680 df8b178699084cd53cec422d5080d46b.exe -
Executes dropped EXE 1 IoCs
pid Process 3680 df8b178699084cd53cec422d5080d46b.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 15 pastebin.com 31 pastebin.com -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1492 df8b178699084cd53cec422d5080d46b.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1492 df8b178699084cd53cec422d5080d46b.exe 3680 df8b178699084cd53cec422d5080d46b.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1492 wrote to memory of 3680 1492 df8b178699084cd53cec422d5080d46b.exe 88 PID 1492 wrote to memory of 3680 1492 df8b178699084cd53cec422d5080d46b.exe 88 PID 1492 wrote to memory of 3680 1492 df8b178699084cd53cec422d5080d46b.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\df8b178699084cd53cec422d5080d46b.exe"C:\Users\Admin\AppData\Local\Temp\df8b178699084cd53cec422d5080d46b.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\df8b178699084cd53cec422d5080d46b.exeC:\Users\Admin\AppData\Local\Temp\df8b178699084cd53cec422d5080d46b.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD582f2160fe7aea6f0e259703c8e4c8c0e
SHA1807865c849f511741d74c5ac5cfc6cd9bcaa55cc
SHA256605caa76bf9bc5523e64834d5625f595f475e557335496da1ea3b3d564d46f8e
SHA5124187a4a73d0dc49a7ba61da8af133875da4cb0572d155bcb048b355148c915aed37cd699ef1282e515b111cf76308f4d904740c33d8f10c206059fdb7ce93193