Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 01:32
Behavioral task
behavioral1
Sample
593cef5a4ba0c0716370666779a24f50N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
593cef5a4ba0c0716370666779a24f50N.exe
Resource
win10v2004-20240709-en
General
-
Target
593cef5a4ba0c0716370666779a24f50N.exe
-
Size
134KB
-
MD5
593cef5a4ba0c0716370666779a24f50
-
SHA1
13acf94e369f23ee09d4bea580ab1af7b7ecd506
-
SHA256
d5417884e04b9658ee24e380cbf1a9dda61d591ad79f7a8c3593dd26e4e0f504
-
SHA512
41272faf1ea8e984adaf2f8f23504a6a9bf9e18f27dbc3a22b260a0b6af93b92031273c0210bcf3f3d278a840e45cd743d3141660b8f319bebb7355fcb8e6eb4
-
SSDEEP
1536:rF0AJELopHG9aa+9qX3apJzAKWYr0v7ioy6paK2AZqMIK7aGZh38Qh:riAyLN9aa+9U2rW1ip6pr2At7NZuQh
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2648 WwanSvc.exe -
resource yara_rule behavioral2/memory/4164-0-0x00000000001D0000-0x00000000001F8000-memory.dmp upx behavioral2/files/0x0008000000023425-3.dat upx behavioral2/memory/4164-4-0x00000000001D0000-0x00000000001F8000-memory.dmp upx behavioral2/memory/2648-6-0x0000000000910000-0x0000000000938000-memory.dmp upx behavioral2/memory/2648-7-0x0000000000910000-0x0000000000938000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" 593cef5a4ba0c0716370666779a24f50N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4164 wrote to memory of 2648 4164 593cef5a4ba0c0716370666779a24f50N.exe 83 PID 4164 wrote to memory of 2648 4164 593cef5a4ba0c0716370666779a24f50N.exe 83 PID 4164 wrote to memory of 2648 4164 593cef5a4ba0c0716370666779a24f50N.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\593cef5a4ba0c0716370666779a24f50N.exe"C:\Users\Admin\AppData\Local\Temp\593cef5a4ba0c0716370666779a24f50N.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\ProgramData\Update\WwanSvc.exe"C:\ProgramData\Update\WwanSvc.exe" /run2⤵
- Executes dropped EXE
PID:2648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5db737a356ddac10aec03b6eed9392331
SHA131f2f9cd4ee8eb8006ba0923af12d79025f7e8e1
SHA256fc56f82c2a780f7539ab9c94c7fa864e29c248471926fddac94313b45261dd4e
SHA512e757cf1093cb89aa8d7de8722f8a170feba4c159d7d365f4dbfa092baad6ea8c260e8ae534920b23825c8eae70f56e2b3977eebf3dc6dd17857c511b585d6a20