Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
19s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23/11/2022, 20:33
Behavioral task
behavioral1
Sample
735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe
Resource
win10v2004-20221111-en
General
-
Target
735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe
-
Size
572KB
-
MD5
0d50f046e6eb7e921272b20d62e1003a
-
SHA1
9dda4c398008827fadc3775026e81d922eab8dfe
-
SHA256
735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c
-
SHA512
6954266c06fcb7d20ba47624aa796cfd40ddad9d4e4c566dd8402b71cca2e5fd5f099f09be23dbcbab4bf563eae35b3e64a2411b7253379cf319c0b036fd3d00
-
SSDEEP
12288:R8qUSvdP3zOstTokAQn2+ay8Hprl90ENhT713v/A7U97w:RwSvV3rAQnWLlXRvI7M7w
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000b0000000122f6-56.dat acprotect behavioral1/files/0x000b0000000122f6-58.dat acprotect -
resource yara_rule behavioral1/memory/1372-54-0x0000000000400000-0x0000000000530000-memory.dmp upx behavioral1/files/0x000b0000000122f6-56.dat upx behavioral1/files/0x000b0000000122f6-58.dat upx behavioral1/memory/1372-59-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1372-60-0x0000000000400000-0x0000000000530000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 1372 735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1372 735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe 1372 735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe 1372 735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1372 wrote to memory of 1800 1372 735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe 28 PID 1372 wrote to memory of 1800 1372 735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe 28 PID 1372 wrote to memory of 1800 1372 735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe 28 PID 1372 wrote to memory of 1800 1372 735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe"C:\Users\Admin\AppData\Local\Temp\735f49a9a64a7728c12403d5189e815c0a492def9f9cc70d9749a39cda7c9b4c.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\cmd.execmd /c del /f /a C:\Users\Admin\AppData\Local\Temp\jedata.dll2⤵PID:1800
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD5114054313070472cd1a6d7d28f7c5002
SHA19a044986e6101df1a126035da7326a50c3fe9a23
SHA256e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1
SHA512a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522
-
Filesize
86KB
MD5114054313070472cd1a6d7d28f7c5002
SHA19a044986e6101df1a126035da7326a50c3fe9a23
SHA256e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1
SHA512a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522