Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 07:27
Behavioral task
behavioral1
Sample
fe8c86095397635bfbc612c50e9d365607c904aef8f94151a59c01ea6f65a552.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fe8c86095397635bfbc612c50e9d365607c904aef8f94151a59c01ea6f65a552.exe
Resource
win10v2004-20240508-en
General
-
Target
fe8c86095397635bfbc612c50e9d365607c904aef8f94151a59c01ea6f65a552.exe
-
Size
134KB
-
MD5
94e7c44026616a36ad658e2d93ec77ee
-
SHA1
71e645d14569d3acf51e64d39eb30cc098c27b58
-
SHA256
fe8c86095397635bfbc612c50e9d365607c904aef8f94151a59c01ea6f65a552
-
SHA512
c2b3cc328b9d787b0e5a722aec3c3d2ad02b60054dfa55b586bca757aedbfec380097990f4a9fe23799f7ac5b875c567f1465044d2fda93395d5eaca6ab36a22
-
SSDEEP
1536:rF0AJELopHG9aa+9qX3apJzAKWYr0v7ioy6paK2AZqMIK7aGZh38QZ:riAyLN9aa+9U2rW1ip6pr2At7NZuQZ
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 5 IoCs
resource yara_rule behavioral2/memory/2120-2-0x0000000000740000-0x0000000000768000-memory.dmp UPX behavioral2/files/0x00090000000233ed-3.dat UPX behavioral2/memory/2120-4-0x0000000000740000-0x0000000000768000-memory.dmp UPX behavioral2/memory/2596-5-0x0000000000AA0000-0x0000000000AC8000-memory.dmp UPX behavioral2/memory/2596-7-0x0000000000AA0000-0x0000000000AC8000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
pid Process 2596 WwanSvc.exe -
resource yara_rule behavioral2/memory/2120-2-0x0000000000740000-0x0000000000768000-memory.dmp upx behavioral2/files/0x00090000000233ed-3.dat upx behavioral2/memory/2120-4-0x0000000000740000-0x0000000000768000-memory.dmp upx behavioral2/memory/2596-5-0x0000000000AA0000-0x0000000000AC8000-memory.dmp upx behavioral2/memory/2596-7-0x0000000000AA0000-0x0000000000AC8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" fe8c86095397635bfbc612c50e9d365607c904aef8f94151a59c01ea6f65a552.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2596 2120 fe8c86095397635bfbc612c50e9d365607c904aef8f94151a59c01ea6f65a552.exe 81 PID 2120 wrote to memory of 2596 2120 fe8c86095397635bfbc612c50e9d365607c904aef8f94151a59c01ea6f65a552.exe 81 PID 2120 wrote to memory of 2596 2120 fe8c86095397635bfbc612c50e9d365607c904aef8f94151a59c01ea6f65a552.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe8c86095397635bfbc612c50e9d365607c904aef8f94151a59c01ea6f65a552.exe"C:\Users\Admin\AppData\Local\Temp\fe8c86095397635bfbc612c50e9d365607c904aef8f94151a59c01ea6f65a552.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\ProgramData\Update\WwanSvc.exe"C:\ProgramData\Update\WwanSvc.exe" /run2⤵
- Executes dropped EXE
PID:2596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD50fbe9e7b9a51724a94050fae22595213
SHA176bb458593166baf6f0d1b41f75eba82cc2843d9
SHA256db82fd1f6da1c38d86921a2bfb976c0bbd04f1be9e474f5f849268ab77538039
SHA512ae3ac3900bf83ecbb2fefe9c1bbba5e41bb89e2ccf8263ead73f28daac43c1710afe068adf19447f5e6b0fe59508c7acb53956915dd3de2b2c692dd0b3745b40