Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 09:33 UTC
Static task
static1
Behavioral task
behavioral1
Sample
f0797cd6a2f9e7f66e3de7331a4178ffc742ba6b238c3209073eb662df279de0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f0797cd6a2f9e7f66e3de7331a4178ffc742ba6b238c3209073eb662df279de0.exe
Resource
win10v2004-20220812-en
General
-
Target
f0797cd6a2f9e7f66e3de7331a4178ffc742ba6b238c3209073eb662df279de0.exe
-
Size
75KB
-
MD5
0c40e64defccbaa85c6f487cbf94fad5
-
SHA1
97ece915241e9eeee28f310df90ab173a88771b3
-
SHA256
f0797cd6a2f9e7f66e3de7331a4178ffc742ba6b238c3209073eb662df279de0
-
SHA512
bd2a4c60b353b7ae316cfad7e976227c8a24c0934055bd1d063ff93a8eedd92a9c6fa6bfd93ef85db5b2169be41ba92846700547605af2a4d1e7b820d1b73691
-
SSDEEP
1536:DIOrr6TCYyS+HxyDeWE1eW1Q+V9Uc1rre7vXsvGiNQp1K3:8UrlzS+RyDejnW+V9UirMKap43
Malware Config
Signatures
-
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1964 f0797cd6a2f9e7f66e3de7331a4178ffc742ba6b238c3209073eb662df279de0.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1964 wrote to memory of 896 1964 f0797cd6a2f9e7f66e3de7331a4178ffc742ba6b238c3209073eb662df279de0.exe 28 PID 1964 wrote to memory of 896 1964 f0797cd6a2f9e7f66e3de7331a4178ffc742ba6b238c3209073eb662df279de0.exe 28 PID 1964 wrote to memory of 896 1964 f0797cd6a2f9e7f66e3de7331a4178ffc742ba6b238c3209073eb662df279de0.exe 28 PID 1964 wrote to memory of 896 1964 f0797cd6a2f9e7f66e3de7331a4178ffc742ba6b238c3209073eb662df279de0.exe 28 PID 1964 wrote to memory of 896 1964 f0797cd6a2f9e7f66e3de7331a4178ffc742ba6b238c3209073eb662df279de0.exe 28 PID 1964 wrote to memory of 896 1964 f0797cd6a2f9e7f66e3de7331a4178ffc742ba6b238c3209073eb662df279de0.exe 28 PID 1964 wrote to memory of 896 1964 f0797cd6a2f9e7f66e3de7331a4178ffc742ba6b238c3209073eb662df279de0.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0797cd6a2f9e7f66e3de7331a4178ffc742ba6b238c3209073eb662df279de0.exe"C:\Users\Admin\AppData\Local\Temp\f0797cd6a2f9e7f66e3de7331a4178ffc742ba6b238c3209073eb662df279de0.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:896
-
Network
-
Remote address:8.8.8.8:53Requestloca.betrule.comIN AResponseloca.betrule.comIN CNAME365yz.365-yz.com365yz.365-yz.comIN A185.216.251.30
-
Remote address:8.8.8.8:53Requestmutta.agesask.netIN A
-
Remote address:8.8.8.8:53Requestmutta.agesask.netIN A
-
Remote address:8.8.8.8:53Requestmutta.agesask.netIN A
-
Remote address:8.8.8.8:53Requestmutta.agesask.netIN A
-
Remote address:8.8.8.8:53Requestmutta.agesask.netIN A
-
Remote address:8.8.8.8:53Requestuokwa.agesonest.comIN AResponseuokwa.agesonest.comIN A35.205.61.67
-
Remote address:8.8.8.8:53Requestfitt.prince.kzIN AResponse
-
Remote address:8.8.8.8:53Requesteit.folks.suIN AResponseeit.folks.suIN A194.67.71.73
-
62 B 105 B 1 1
DNS Request
loca.betrule.com
DNS Response
185.216.251.30
-
49 B 1
-
315 B 5
DNS Request
mutta.agesask.net
DNS Request
mutta.agesask.net
DNS Request
mutta.agesask.net
DNS Request
mutta.agesask.net
DNS Request
mutta.agesask.net
-
65 B 81 B 1 1
DNS Request
uokwa.agesonest.com
DNS Response
35.205.61.67
-
49 B 1
-
60 B 132 B 1 1
DNS Request
fitt.prince.kz
-
58 B 74 B 1 1
DNS Request
eit.folks.su
DNS Response
194.67.71.73
-
49 B 1