Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
27/11/2022, 19:01
General
-
Target
500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781.exe
-
Size
243KB
-
MD5
c2db310b19a07816183638816938eb5d
-
SHA1
ea5d7cfd5d278f019a77b99cfac9a8e0709d591e
-
SHA256
500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781
-
SHA512
54cd7c8c5b100e222dd53f338f6f4b8d2fb1fc55db36e848288881b1b5e4ad8200b0cc45d2d36f54bff9faff55e4d49a54a17b866687d2905789a20375eaf772
-
SSDEEP
6144:x4y6j8ncpnrKlEtSfTKfRn/kXfMbpuUW:uVAcpnulEEfWfR/YMbp
Malware Config
Extracted
gozi
Extracted
gozi
1000
goliathuz.com
musicvideoporntip3s.ru
-
exe_type
worker
Signatures
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 16 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781.exe"C:\Users\Admin\AppData\Local\Temp\500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781.exe"C:\Users\Admin\AppData\Local\Temp\500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7078326.bat" "C:\Users\Admin\AppData\Local\Temp\500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781.exe""3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\500716a46d057b920870230dcb2361dccf489a2b8fd7938fc6f8269f7eea8781.exe"4⤵
- Views/modifies file attributes
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x58c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72B
MD5937e8ff52dcfbb5962ff34719fd9cf4c
SHA1f3d936b994f86f50c761694a1186f06271cd24c8
SHA256d237205ff1bf403ab6fc820f4d633734256e823fa676fba684f5e357ce52e675
SHA512361b4d21ae96422f9d054d468e4057e245791fe174926f4d3547692748156d298bebbf32140a68742a359fb6ee62eb6ad0e3170a16c87308f34deb1d50491348
-
Filesize
64KB
-
Filesize
456KB
-
Filesize
8KB
-
Filesize
456KB
-
Filesize
8KB
-
Filesize
5.7MB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB