Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 08:06
Static task
static1
Behavioral task
behavioral1
Sample
e12e8211fd7aa4ec90c04cd049378394.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e12e8211fd7aa4ec90c04cd049378394.exe
Resource
win10v2004-20240226-en
General
-
Target
e12e8211fd7aa4ec90c04cd049378394.exe
-
Size
506KB
-
MD5
e12e8211fd7aa4ec90c04cd049378394
-
SHA1
055533f5b931266101bdb537b9d77fba0d970f4f
-
SHA256
e69cc790154a4fc4f19d19531fce11b976352488d95119e02a6ead2566b2144e
-
SHA512
0dd785d082f09e4957a2f39f708d4b927b5b8d48dc4a8c0a78353432c3b824438f1665108bd8d52816db9e9fcd23ffbcf3fe6af25ae1fa2e0a68615065c1428f
-
SSDEEP
12288:hCsv136HWZdpfkfdn2mkC7pO+do7/aqptdIJf/kIlR:hCmvdsdps7tHY/D
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2008 e12e8211fd7aa4ec90c04cd049378394.exe -
Executes dropped EXE 1 IoCs
pid Process 2008 e12e8211fd7aa4ec90c04cd049378394.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 37 pastebin.com 42 pastebin.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2008 e12e8211fd7aa4ec90c04cd049378394.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1928 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2008 e12e8211fd7aa4ec90c04cd049378394.exe 2008 e12e8211fd7aa4ec90c04cd049378394.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3672 e12e8211fd7aa4ec90c04cd049378394.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3672 e12e8211fd7aa4ec90c04cd049378394.exe 2008 e12e8211fd7aa4ec90c04cd049378394.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3672 wrote to memory of 2008 3672 e12e8211fd7aa4ec90c04cd049378394.exe 89 PID 3672 wrote to memory of 2008 3672 e12e8211fd7aa4ec90c04cd049378394.exe 89 PID 3672 wrote to memory of 2008 3672 e12e8211fd7aa4ec90c04cd049378394.exe 89 PID 2008 wrote to memory of 1928 2008 e12e8211fd7aa4ec90c04cd049378394.exe 93 PID 2008 wrote to memory of 1928 2008 e12e8211fd7aa4ec90c04cd049378394.exe 93 PID 2008 wrote to memory of 1928 2008 e12e8211fd7aa4ec90c04cd049378394.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\e12e8211fd7aa4ec90c04cd049378394.exe"C:\Users\Admin\AppData\Local\Temp\e12e8211fd7aa4ec90c04cd049378394.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\e12e8211fd7aa4ec90c04cd049378394.exeC:\Users\Admin\AppData\Local\Temp\e12e8211fd7aa4ec90c04cd049378394.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\e12e8211fd7aa4ec90c04cd049378394.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:1928
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
506KB
MD57266537fa6da161cd52258170b0180ec
SHA198ac25f2feda40938d674e2cd30f3c364fc82cd2
SHA2563f08da52204efc4850d9a20756f6862fc17d1aa4fc84140442f60b8d0fd08254
SHA5129dfe4ba0f3fbe309c8075f91fdb1cb08740d4f39573db89a121c9c1984ef9bce93ace31be475a14b9f17d4941a4cc4c8691dd3d243ca1bf16ec2ee690c6fb09b