Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 08:04
Behavioral task
behavioral1
Sample
e12df8575bb9020132168fff43ef944c.exe
Resource
win7-20240221-en
General
-
Target
e12df8575bb9020132168fff43ef944c.exe
-
Size
784KB
-
MD5
e12df8575bb9020132168fff43ef944c
-
SHA1
ef45f086c51045ca528e80c0cf6d6be7d4b2d29a
-
SHA256
a2635c452d0d76f137a73a174e5fb69563753df09287006116578591824f9c87
-
SHA512
e726a3f4a726fd4f92cbf991988e93dad0406f52cf23e50eb1d2e661d74a196f07e347c5145aca451bbcbec8cb574df1c4dd6d7dce35d1fe42b6aea70d81ea9d
-
SSDEEP
12288:n1AloMXbMjso8ur6qIdX6e0l7Em2/yhgks5SmzDQjymHHAiF:nqeMwQqIdX6e0lGv2mz0jymn9F
Malware Config
Signatures
-
XMRig Miner payload 6 IoCs
resource yara_rule behavioral2/memory/708-2-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/708-12-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/3580-15-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/3580-20-0x0000000005410000-0x00000000055A3000-memory.dmp xmrig behavioral2/memory/3580-21-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral2/memory/3580-30-0x0000000000400000-0x0000000000587000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 3580 e12df8575bb9020132168fff43ef944c.exe -
Executes dropped EXE 1 IoCs
pid Process 3580 e12df8575bb9020132168fff43ef944c.exe -
resource yara_rule behavioral2/memory/708-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral2/files/0x0007000000023246-11.dat upx behavioral2/memory/3580-13-0x0000000000400000-0x0000000000712000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 708 e12df8575bb9020132168fff43ef944c.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 708 e12df8575bb9020132168fff43ef944c.exe 3580 e12df8575bb9020132168fff43ef944c.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 708 wrote to memory of 3580 708 e12df8575bb9020132168fff43ef944c.exe 99 PID 708 wrote to memory of 3580 708 e12df8575bb9020132168fff43ef944c.exe 99 PID 708 wrote to memory of 3580 708 e12df8575bb9020132168fff43ef944c.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\e12df8575bb9020132168fff43ef944c.exe"C:\Users\Admin\AppData\Local\Temp\e12df8575bb9020132168fff43ef944c.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Users\Admin\AppData\Local\Temp\e12df8575bb9020132168fff43ef944c.exeC:\Users\Admin\AppData\Local\Temp\e12df8575bb9020132168fff43ef944c.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3956 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵PID:3600
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD5c878113e21f46a79b9b79a2897d227b1
SHA183c3437de885f49b100f935b30c8876bd07f0405
SHA2568f62d20bcb3966a87dab8283f037c4715193feb49a38eb0035364274f63132f3
SHA512446e07fa09aee6cec4f0b16ec78313055cd9cd59078ed30a6999f9b8e946f56694fea75531a209bde866dce8b63954c68d558cce48be58c5277dd7e0b52ea259