Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
28s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
13/06/2023, 19:59
Static task
static1
Behavioral task
behavioral1
Sample
python-3.8.6-amd64.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
python-3.8.6-amd64.exe
Resource
win10v2004-20230220-en
General
-
Target
python-3.8.6-amd64.exe
-
Size
26.8MB
-
MD5
2acba3117582c5177cdd28b91bbe9ac9
-
SHA1
ef21b38eb1d3aa1d9e2a7b75d18109cfa8d41038
-
SHA256
328a257f189cb500606bb26ab0fbdd298ed0e05d8c36540a322a1744f489a0a0
-
SHA512
f5a0726fb9fb02755f02f13f83617d200d8fdc9a00e431e3a6a2e27388faa94b83a8713eba59ddda8bbc217b346dc557a1a7f88307bcf444bbd1dea01021b9ea
-
SSDEEP
393216:fx1WmX4/PvCjYdQdoqQkENQJPS6OYb0H5y3TE3j/AWfGPgcelBsyjyMcKk3Xmhrf:fHlkyYdOohXF6xbmyDEz/bGcjyPmhOfa
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Executes dropped EXE 1 IoCs
pid Process 1488 python-3.8.6-amd64.exe -
Loads dropped DLL 2 IoCs
pid Process 1316 python-3.8.6-amd64.exe 1488 python-3.8.6-amd64.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1316 wrote to memory of 1488 1316 python-3.8.6-amd64.exe 28 PID 1316 wrote to memory of 1488 1316 python-3.8.6-amd64.exe 28 PID 1316 wrote to memory of 1488 1316 python-3.8.6-amd64.exe 28 PID 1316 wrote to memory of 1488 1316 python-3.8.6-amd64.exe 28 PID 1316 wrote to memory of 1488 1316 python-3.8.6-amd64.exe 28 PID 1316 wrote to memory of 1488 1316 python-3.8.6-amd64.exe 28 PID 1316 wrote to memory of 1488 1316 python-3.8.6-amd64.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\python-3.8.6-amd64.exe"C:\Users\Admin\AppData\Local\Temp\python-3.8.6-amd64.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\Temp\{05A258B6-546A-440B-805D-211B591BC3E1}\.cr\python-3.8.6-amd64.exe"C:\Windows\Temp\{05A258B6-546A-440B-805D-211B591BC3E1}\.cr\python-3.8.6-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-3.8.6-amd64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=1882⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
841KB
MD5a1a8f622d1aa8873d290f7cc77667ae9
SHA1a15f822d2040dc136d8012792981c2631ac5a73a
SHA256b28ddf5c646babbd2da14a9a930d6115ccbaa4b9c948342b1821468e2b53fc79
SHA512e244937a3c81d2b6332fbd669120b6b1af318b5b52e2a0a4fad64bb6b4c8c23431d2705c1c359d9fe0903e63af225d17eb04a4dba72cfca7d6bd32ddc1a4adff
-
Filesize
841KB
MD5a1a8f622d1aa8873d290f7cc77667ae9
SHA1a15f822d2040dc136d8012792981c2631ac5a73a
SHA256b28ddf5c646babbd2da14a9a930d6115ccbaa4b9c948342b1821468e2b53fc79
SHA512e244937a3c81d2b6332fbd669120b6b1af318b5b52e2a0a4fad64bb6b4c8c23431d2705c1c359d9fe0903e63af225d17eb04a4dba72cfca7d6bd32ddc1a4adff
-
Filesize
56KB
MD5ca62a92ad5b307faeac640cd5eb460ed
SHA15edf8b5fc931648f77a2a131e4c733f1d31b548e
SHA256f3109977125d4a3a3ffa17462cfc31799589f466a51d226d1d1f87df2f267627
SHA512f7b3001a957f393298b0ff2aa08b400f8639f2f0487a34ac2a0e8d9519765ac92249185ebe45f907bc9d2f8556fdd39095c52f890330a35edf71ae49df32e27a
-
Filesize
841KB
MD5a1a8f622d1aa8873d290f7cc77667ae9
SHA1a15f822d2040dc136d8012792981c2631ac5a73a
SHA256b28ddf5c646babbd2da14a9a930d6115ccbaa4b9c948342b1821468e2b53fc79
SHA512e244937a3c81d2b6332fbd669120b6b1af318b5b52e2a0a4fad64bb6b4c8c23431d2705c1c359d9fe0903e63af225d17eb04a4dba72cfca7d6bd32ddc1a4adff
-
Filesize
601KB
MD5c877db675510da9101f183318877b1df
SHA1aade2b7fb2b35f84e9964b90c66c4c7baf543ea2
SHA25674de5491b4c112010a677efa53b0ce05cc7587dad9dbebe1c27c29a0269ca9d3
SHA512c69be9c1cc90494fc9c06a0bdeaea502136cd9420fbce61581dd92adb94b895b6353a3e1b3481c55a76a91b20dac553a5a68dc9decb93af92f320c10c0b6bd2d