Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 22:00 UTC
Behavioral task
behavioral1
Sample
4677a35d7f9992e22cfbc49699808de902ac391da4c05e9068df674169a2fea2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4677a35d7f9992e22cfbc49699808de902ac391da4c05e9068df674169a2fea2.exe
Resource
win10v2004-20240226-en
General
-
Target
4677a35d7f9992e22cfbc49699808de902ac391da4c05e9068df674169a2fea2.exe
-
Size
134KB
-
MD5
003aa94b5d59d463ad71112c54a8d06c
-
SHA1
03cbd26d4465c120ffb882947524aa49f5898dbb
-
SHA256
4677a35d7f9992e22cfbc49699808de902ac391da4c05e9068df674169a2fea2
-
SHA512
30ae8f06f9f177b789b9db75c3469927daafe17c3c75974f24e4faaf1bbbf60c3b9257bd08e99720bd106143d7fb40dadcc6bd377a9ff041d4db583aeb45048d
-
SSDEEP
1536:rF0AJELopHG9aa+9qX3apJzAKWYr0v7ioy6paK2AZqMIK7aGZh38Qa:riAyLN9aa+9U2rW1ip6pr2At7NZuQa
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 5 IoCs
resource yara_rule behavioral2/memory/5112-0-0x0000000000200000-0x0000000000228000-memory.dmp UPX behavioral2/files/0x0008000000023263-3.dat UPX behavioral2/memory/1996-4-0x0000000000200000-0x0000000000228000-memory.dmp UPX behavioral2/memory/5112-6-0x0000000000200000-0x0000000000228000-memory.dmp UPX behavioral2/memory/1996-7-0x0000000000200000-0x0000000000228000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
pid Process 1996 WwanSvc.exe -
resource yara_rule behavioral2/memory/5112-0-0x0000000000200000-0x0000000000228000-memory.dmp upx behavioral2/files/0x0008000000023263-3.dat upx behavioral2/memory/1996-4-0x0000000000200000-0x0000000000228000-memory.dmp upx behavioral2/memory/5112-6-0x0000000000200000-0x0000000000228000-memory.dmp upx behavioral2/memory/1996-7-0x0000000000200000-0x0000000000228000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" 4677a35d7f9992e22cfbc49699808de902ac391da4c05e9068df674169a2fea2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5112 wrote to memory of 1996 5112 4677a35d7f9992e22cfbc49699808de902ac391da4c05e9068df674169a2fea2.exe 91 PID 5112 wrote to memory of 1996 5112 4677a35d7f9992e22cfbc49699808de902ac391da4c05e9068df674169a2fea2.exe 91 PID 5112 wrote to memory of 1996 5112 4677a35d7f9992e22cfbc49699808de902ac391da4c05e9068df674169a2fea2.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\4677a35d7f9992e22cfbc49699808de902ac391da4c05e9068df674169a2fea2.exe"C:\Users\Admin\AppData\Local\Temp\4677a35d7f9992e22cfbc49699808de902ac391da4c05e9068df674169a2fea2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\ProgramData\Update\WwanSvc.exe"C:\ProgramData\Update\WwanSvc.exe" /run2⤵
- Executes dropped EXE
PID:1996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2996 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:1976
Network
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request101.58.20.217.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request75.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request25.14.97.104.in-addr.arpaIN PTRResponse25.14.97.104.in-addr.arpaIN PTRa104-97-14-25deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request159.113.53.23.in-addr.arpaIN PTRResponse159.113.53.23.in-addr.arpaIN PTRa23-53-113-159deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request41.173.79.40.in-addr.arpaIN PTRResponse
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
72 B 132 B 1 1
DNS Request
101.58.20.217.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
75.159.190.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
25.14.97.104.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
159.113.53.23.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
41.173.79.40.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD52193a335abe96f7afbcea2c6d47f31da
SHA1b944886f095f6c4c1bca8e559221742789321081
SHA256f20c0382d5dc8dcf13a20cc0d28b9e757c59085f401d961bafecd7e2af00dda7
SHA512a65e5a00b033a786915e65903b5587dd0c482e83b1989d3edc7ba6bf73678b37ddf085bbd9fbd2cd57d5bdec81ab1c43c8dc9d7c71594a5a3037e0e62319ddce