Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 09:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
loader.exe
Resource
win7-20231129-en
1 signatures
150 seconds
Behavioral task
behavioral2
Sample
loader.exe
Resource
win10v2004-20240508-en
1 signatures
150 seconds
General
-
Target
loader.exe
-
Size
1.6MB
-
MD5
9c3be7203ba00ad3a4aa5c060d92e032
-
SHA1
73889da9d3516234b199902efdc996e830d7ed12
-
SHA256
70092856c9eeb38f6d7c031f0300630ec27d3fbd9f751ab0d1246e35f86aba80
-
SHA512
edb44fd610fddfd469242bf43c0c79997aac07ed1bf7d7263fd0ba49d923bde7b36254e89cd98039df8a9d6ad9914599eaaed22e4f29a8939638a58c5ff140ad
-
SSDEEP
49152:x2+bFGaqjaqjyX3KLsRnkFyd+PfvSTgr8z:jk1yX3VRE
Score
1/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2484 wrote to memory of 1504 2484 loader.exe 83 PID 2484 wrote to memory of 1504 2484 loader.exe 83 PID 1504 wrote to memory of 1900 1504 cmd.exe 84 PID 1504 wrote to memory of 1900 1504 cmd.exe 84 PID 1504 wrote to memory of 2080 1504 cmd.exe 85 PID 1504 wrote to memory of 2080 1504 cmd.exe 85 PID 1504 wrote to memory of 868 1504 cmd.exe 86 PID 1504 wrote to memory of 868 1504 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\loader.exe" MD53⤵PID:1900
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:2080
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:868
-
-