Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 03:00
Static task
static1
Behavioral task
behavioral1
Sample
7441fe25afda1adfd618fb3d603f0fdbbab3ec4ab47a51252dc2030cebf52e3f.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
7441fe25afda1adfd618fb3d603f0fdbbab3ec4ab47a51252dc2030cebf52e3f.exe
Resource
win10v2004-20230915-en
General
-
Target
7441fe25afda1adfd618fb3d603f0fdbbab3ec4ab47a51252dc2030cebf52e3f.exe
-
Size
925KB
-
MD5
666f6d4e736ddfed99c93ef08ec2f313
-
SHA1
e3d120cc7e4557afce230c9cd56a13a43baf2bf9
-
SHA256
7441fe25afda1adfd618fb3d603f0fdbbab3ec4ab47a51252dc2030cebf52e3f
-
SHA512
7db2ba9690be13a09f45e12fba27f8589b2fcc39c0b8abf3cc6ae83d6af21d6b5bdcffef63eb37bc2c1626fcf682481d67aaec2e08eebf439b8ea480b6d7e788
-
SSDEEP
24576:hPpeZJniROWKdTysB//EXK2ufvNTSLsDW4z:tMZJDdT/BXEXK2ufvNTSLsy4
Malware Config
Signatures
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 1376 2023-10-16-1608.exe -
Executes dropped EXE 1 IoCs
pid Process 1376 2023-10-16-1608.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\CitiesBase.dll 2023-10-16-1608.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4136 7441fe25afda1adfd618fb3d603f0fdbbab3ec4ab47a51252dc2030cebf52e3f.exe 4136 7441fe25afda1adfd618fb3d603f0fdbbab3ec4ab47a51252dc2030cebf52e3f.exe 4136 7441fe25afda1adfd618fb3d603f0fdbbab3ec4ab47a51252dc2030cebf52e3f.exe 4136 7441fe25afda1adfd618fb3d603f0fdbbab3ec4ab47a51252dc2030cebf52e3f.exe 4136 7441fe25afda1adfd618fb3d603f0fdbbab3ec4ab47a51252dc2030cebf52e3f.exe 4136 7441fe25afda1adfd618fb3d603f0fdbbab3ec4ab47a51252dc2030cebf52e3f.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe 1376 2023-10-16-1608.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4136 wrote to memory of 1376 4136 7441fe25afda1adfd618fb3d603f0fdbbab3ec4ab47a51252dc2030cebf52e3f.exe 83 PID 4136 wrote to memory of 1376 4136 7441fe25afda1adfd618fb3d603f0fdbbab3ec4ab47a51252dc2030cebf52e3f.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\7441fe25afda1adfd618fb3d603f0fdbbab3ec4ab47a51252dc2030cebf52e3f.exe"C:\Users\Admin\AppData\Local\Temp\7441fe25afda1adfd618fb3d603f0fdbbab3ec4ab47a51252dc2030cebf52e3f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\2023-10-16-1608.exe"C:\Users\Admin\AppData\Local\Temp\2023-10-16-1608.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1376
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
985KB
MD5498f0ae33234a1f22f4ec60719ed1aa6
SHA128f904fd80673ccb175b493fba3c71eb9a8d9c6a
SHA2560a001f7d59b2122db8b58edb821159cae09d18a9a0370aeb1c12858284337c6e
SHA512d82d011b16e02c85300118ec8ea52326e848e759b1e17cb918e0caab7cf4adf11def350fa3a882f5c43e08e0d1172dc021cc722f8a94600f0996aad3c54b6398
-
Filesize
985KB
MD5498f0ae33234a1f22f4ec60719ed1aa6
SHA128f904fd80673ccb175b493fba3c71eb9a8d9c6a
SHA2560a001f7d59b2122db8b58edb821159cae09d18a9a0370aeb1c12858284337c6e
SHA512d82d011b16e02c85300118ec8ea52326e848e759b1e17cb918e0caab7cf4adf11def350fa3a882f5c43e08e0d1172dc021cc722f8a94600f0996aad3c54b6398