Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 12:14
Behavioral task
behavioral1
Sample
e1a4267c475a0a9a2c92e312246e93d1.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
e1a4267c475a0a9a2c92e312246e93d1.exe
Resource
win10v2004-20240319-en
General
-
Target
e1a4267c475a0a9a2c92e312246e93d1.exe
-
Size
1.3MB
-
MD5
e1a4267c475a0a9a2c92e312246e93d1
-
SHA1
bb09a7693bc71f759a96659653e1db802e0699a7
-
SHA256
b78d97bb58e7aa39565ebee84b814808482b97dc21926420d09c6ed2a2530303
-
SHA512
3b7b9ebaa0659c6d8b1dacac2732673ce5acc9d0b4f5c03ef2f52b00faacc301455f21a36a0de873aaaa3f096bcbd3670b83be9037afe11e6ee623790a682d32
-
SSDEEP
24576:tLpRbBEIZSWon/RxCroPZe0RcnRdbMfrnRmtmS0HxvG:rRbBEI2n5gAY0RcnbwfrRmy
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 5020 e1a4267c475a0a9a2c92e312246e93d1.exe -
Executes dropped EXE 1 IoCs
pid Process 5020 e1a4267c475a0a9a2c92e312246e93d1.exe -
resource yara_rule behavioral2/memory/4008-0-0x0000000000400000-0x000000000086A000-memory.dmp upx behavioral2/files/0x0009000000023306-13.dat upx behavioral2/memory/5020-15-0x0000000000400000-0x000000000086A000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4008 e1a4267c475a0a9a2c92e312246e93d1.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4008 e1a4267c475a0a9a2c92e312246e93d1.exe 5020 e1a4267c475a0a9a2c92e312246e93d1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4008 wrote to memory of 5020 4008 e1a4267c475a0a9a2c92e312246e93d1.exe 94 PID 4008 wrote to memory of 5020 4008 e1a4267c475a0a9a2c92e312246e93d1.exe 94 PID 4008 wrote to memory of 5020 4008 e1a4267c475a0a9a2c92e312246e93d1.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1a4267c475a0a9a2c92e312246e93d1.exe"C:\Users\Admin\AppData\Local\Temp\e1a4267c475a0a9a2c92e312246e93d1.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\e1a4267c475a0a9a2c92e312246e93d1.exeC:\Users\Admin\AppData\Local\Temp\e1a4267c475a0a9a2c92e312246e93d1.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=736 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:81⤵PID:1368
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5f532419a2fe6db897bcaa61b5bc2bb8a
SHA160db7bfc5bfde34c53b7a8cda437112ae10878ff
SHA2562277746601434484a1ef5ed97e6488464d5cd1e6d1e3e2c30d787260287475dc
SHA512335eb0bd5024ae9fc5b99549ffd11afb78713772ca8aa3cf4119f8fb4e2646fe32236f12953640568d93cf0830ed6f407c4e92a54d2f67480070ec2e5799c5eb