Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
49s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2024, 03:57
Static task
static1
Behavioral task
behavioral1
Sample
d9ea075afe92c246a49e86b9b763d8e859c6d611275a628d982398b62bf1d6ea.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
d9ea075afe92c246a49e86b9b763d8e859c6d611275a628d982398b62bf1d6ea.exe
Resource
win10v2004-20240419-en
General
-
Target
d9ea075afe92c246a49e86b9b763d8e859c6d611275a628d982398b62bf1d6ea.exe
-
Size
94KB
-
MD5
51c2e02f5852ddf202ddd3bfc3f80cb4
-
SHA1
0832b2959d15068bc87ae7f36b1098e244b73851
-
SHA256
d9ea075afe92c246a49e86b9b763d8e859c6d611275a628d982398b62bf1d6ea
-
SHA512
bc38921bae56393ded4aafca4e276c5ff9082d7255236cbbf8eb2377a3557b4da1c653fa7a9023754991fab423852f6ac67c0ce355c6b4539bfbdbe7785e84e9
-
SSDEEP
1536:tF0AJELoJHG9qa+oa33KJJzAKWYr0v7iJSzIRXKTzRZICrWaGZh7kr:tiAyLN9qa+oEGrWViJSzIR6JJrWNZqr
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3672 WwanSvc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" d9ea075afe92c246a49e86b9b763d8e859c6d611275a628d982398b62bf1d6ea.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3264 wrote to memory of 3672 3264 d9ea075afe92c246a49e86b9b763d8e859c6d611275a628d982398b62bf1d6ea.exe 83 PID 3264 wrote to memory of 3672 3264 d9ea075afe92c246a49e86b9b763d8e859c6d611275a628d982398b62bf1d6ea.exe 83 PID 3264 wrote to memory of 3672 3264 d9ea075afe92c246a49e86b9b763d8e859c6d611275a628d982398b62bf1d6ea.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9ea075afe92c246a49e86b9b763d8e859c6d611275a628d982398b62bf1d6ea.exe"C:\Users\Admin\AppData\Local\Temp\d9ea075afe92c246a49e86b9b763d8e859c6d611275a628d982398b62bf1d6ea.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\ProgramData\Update\WwanSvc.exe"C:\ProgramData\Update\WwanSvc.exe" /run2⤵
- Executes dropped EXE
PID:3672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD5318cf2d9790ca04579f73ad1729229c5
SHA1489b6746444c7269e65d9ffeafe054b56062ce5e
SHA256e734dc2321970a60ac14b053e46760bc740080964d560265857ca11032740229
SHA512d21320120cbc479a4d043f15307ef7a29d20407a4a10bf49b3994476eb8a8440aa3e97634bdb40275b244b497eba3f66e62b200d53d19153b7f1feee49a072a5