Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 01:33
Behavioral task
behavioral1
Sample
1d8b5274e26329f1b5dffbecf3b8b3f4.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1d8b5274e26329f1b5dffbecf3b8b3f4.exe
Resource
win10v2004-20240508-en
General
-
Target
1d8b5274e26329f1b5dffbecf3b8b3f4.exe
-
Size
898KB
-
MD5
1d8b5274e26329f1b5dffbecf3b8b3f4
-
SHA1
a6d0a24bd77e98c589efd158831ff05b5864c786
-
SHA256
6eede7c8af05dd28fe62bec856d7e7a276078e51da48539e083088dfee647d68
-
SHA512
242f76b538385c435a4ecd8361f11038ebfc9c47da0d55b148bdcc4a42c8f054b15ce1e07151e408cbf817a8abc381dfe6094c00378f538f40f1c2a54bfcb7b8
-
SSDEEP
12288:rbpHYUKy5U1bo9t8DMRSW9vbciUiLuAvOxMt11i27QitjUN:r5sJo6YrFUiyAak11LtjUN
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2320 svchest425075242507520.exe -
resource yara_rule behavioral2/memory/1440-0-0x0000000000400000-0x0000000000597000-memory.dmp upx behavioral2/memory/1440-1-0x0000000000400000-0x0000000000597000-memory.dmp upx behavioral2/files/0x00080000000233d3-7.dat upx behavioral2/memory/2320-10-0x0000000000400000-0x0000000000597000-memory.dmp upx behavioral2/memory/2320-12-0x0000000000400000-0x0000000000597000-memory.dmp upx behavioral2/memory/1440-13-0x0000000000400000-0x0000000000597000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1d8b5274e26329f1b5dffbecf3b8b3f4.exe" 1d8b5274e26329f1b5dffbecf3b8b3f4.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1440 1d8b5274e26329f1b5dffbecf3b8b3f4.exe 2320 svchest425075242507520.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\Windows\BJ.exe 1d8b5274e26329f1b5dffbecf3b8b3f4.exe File created \??\c:\Windows\BJ.exe 1d8b5274e26329f1b5dffbecf3b8b3f4.exe File created \??\c:\Windows\svchest425075242507520.exe 1d8b5274e26329f1b5dffbecf3b8b3f4.exe File opened for modification \??\c:\Windows\svchest425075242507520.exe 1d8b5274e26329f1b5dffbecf3b8b3f4.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1440 wrote to memory of 2320 1440 1d8b5274e26329f1b5dffbecf3b8b3f4.exe 80 PID 1440 wrote to memory of 2320 1440 1d8b5274e26329f1b5dffbecf3b8b3f4.exe 80 PID 1440 wrote to memory of 2320 1440 1d8b5274e26329f1b5dffbecf3b8b3f4.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d8b5274e26329f1b5dffbecf3b8b3f4.exe"C:\Users\Admin\AppData\Local\Temp\1d8b5274e26329f1b5dffbecf3b8b3f4.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\Windows\svchest425075242507520.exec:\Windows\svchest425075242507520.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2320
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
898KB
MD51d8b5274e26329f1b5dffbecf3b8b3f4
SHA1a6d0a24bd77e98c589efd158831ff05b5864c786
SHA2566eede7c8af05dd28fe62bec856d7e7a276078e51da48539e083088dfee647d68
SHA512242f76b538385c435a4ecd8361f11038ebfc9c47da0d55b148bdcc4a42c8f054b15ce1e07151e408cbf817a8abc381dfe6094c00378f538f40f1c2a54bfcb7b8