Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2024, 15:57
Static task
static1
Behavioral task
behavioral1
Sample
5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe
Resource
win10v2004-20240611-en
General
-
Target
5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe
-
Size
11.5MB
-
MD5
7a5e0b31ca3759ec4964da0baa7a5579
-
SHA1
706a124458622ff1a47b9878cb08f2ada2ee5442
-
SHA256
5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2
-
SHA512
bd2dac6eafaa62f251a6efdc6e28d41385ac344c446d2b511948a9c84fe53866f4408de173bff0ba6877135ab86f8a8d70aa3181d81a8e270f1966d7fadb06d3
-
SSDEEP
196608:n2Gtl6DPRKTkNg8h8V2KQqGfyxXIicOExzUx8Bssun3f6B2+FDnVAA/uaeol:2GtA7RKQNg8h8V2KQH6uBsc9cA/xey
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4708 5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe File opened (read-only) \??\F: 5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe File opened (read-only) \??\D: 5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe File opened (read-only) \??\E: 5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4296 5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe 4296 5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe 4708 5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe 4708 5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4296 wrote to memory of 3596 4296 5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe 83 PID 4296 wrote to memory of 3596 4296 5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe 83 PID 4296 wrote to memory of 3596 4296 5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe 83 PID 3596 wrote to memory of 4708 3596 cmd.exe 85 PID 3596 wrote to memory of 4708 3596 cmd.exe 85 PID 3596 wrote to memory of 4708 3596 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe"C:\Users\Admin\AppData\Local\Temp\5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe"1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\90284475AC984E97BD0B173A09AE7D5C.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3596 -
F:\996m2\5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe"F:/996m2/5957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:4708
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81B
MD599c2970ef192ba50f2fdf47f22359e45
SHA178727fe381015f6b35299131a08b4570990d36af
SHA256966a7b11c4a16b7f96ce28473a040f9e97e5a16d25a84596c27f7e3df8b8a22d
SHA5121d3f3cb5ef2bb0e621b06aaed0c3a46eb148af7a88e7552976a5aa36a8b9c7355cb88343f974898a284f95df54d4f28c91121cae584015ed17b61140bb8d0336
-
Filesize
75B
MD5e3febec7c9d89d6c7dca6f55195ed89f
SHA1f98fb4c0fd3b7c926e1875fda3566388903f4eef
SHA256d7e3aaf8d14b12596ce20a82487200fd3daa34db92f06c92703600519f02447c
SHA5122c034ddf1eea4addc7eca9206e176083a363d5cb69ed8acd87f1fc6ba0c6fa7a7e004550dc7257bcb237d78afe8fb672c695a6b073643cc2c4efb9477321f1bf
-
Filesize
11.5MB
MD57a5e0b31ca3759ec4964da0baa7a5579
SHA1706a124458622ff1a47b9878cb08f2ada2ee5442
SHA2565957d45f995e0f9378a685ec85be9afabfb8a624a323629f16d34b0197b9cef2
SHA512bd2dac6eafaa62f251a6efdc6e28d41385ac344c446d2b511948a9c84fe53866f4408de173bff0ba6877135ab86f8a8d70aa3181d81a8e270f1966d7fadb06d3
-
Filesize
1.2MB
MD5e7700da3b37e403cc2fee699d085237d
SHA1f92ce0ece922168f60f2ee55a81c97519d898c32
SHA2564a6a1deb1c0cd516e18930873af9738e9e31976eafbeb489bf63d8c4156d0090
SHA5128897c9c627053b43669f626b9b0f4c1659274299b5982328102073c80cae950697dee31d93ba8d92f4ce4a04d09c6ecb4ad18d418c873a9e835a88a443efaead
-
Filesize
126B
MD5d999e2929339add9cebbef295d1bbeb7
SHA15c41bee0fdae4f025c2770c8c902148b375208a3
SHA256237dce3d880566ed658d08372e355ff743bcb6f32aa4b24a2926b062c56c77c0
SHA512f98fa001c8846bd2029f1254e8108cb79ddcee2556e864dd699a8066f40e809d9f63faac2125fa697057288785ae3eb94cbecb7dab93553ac57deea07c1262ae
-
Filesize
593KB
MD5e8970d69a1ad6ea688a7cde4c50dc10f
SHA15659915b98520ff68ce98baa1ba975eaaa14ca28
SHA2568e31c2875131c9720bf84784b7df609c4a172b12a9b978887a4b6dc58ad53a24
SHA51249bf5b9d9a0a98ac25dab0f30766229a2f9769b42d548045a8a09419f5d7b214b38636f86760537d0ac9447b3ef8bacb7eaf029cf8307d6f1a96d09d9729f8f2