Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
03/12/2023, 01:45
Behavioral task
behavioral1
Sample
49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe
Resource
win10v2004-20231201-en
General
-
Target
49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe
-
Size
901KB
-
MD5
5d8924fefdc3af4f7877292e1ec73488
-
SHA1
74b10ac14262bd753c144d8c1a5f6858f536eb08
-
SHA256
49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3
-
SHA512
bf48e13e1581030eaf7126c2227c095c85e9019baee03bcce92e208aa5b5722ae45a1096ce27226320192d48f8a77e101a4f49e31da3ccf8b410360dfd7b6394
-
SSDEEP
12288:28shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvBc:v3s4MROxnF9LqrZlI0AilFEvxHioy
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1648 wrote to memory of 2412 1648 49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe 28 PID 1648 wrote to memory of 2412 1648 49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe 28 PID 1648 wrote to memory of 2412 1648 49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe 28 PID 2412 wrote to memory of 1620 2412 csc.exe 30 PID 2412 wrote to memory of 1620 2412 csc.exe 30 PID 2412 wrote to memory of 1620 2412 csc.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe"C:\Users\Admin\AppData\Local\Temp\49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rh6zujh1.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5265.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5264.tmp"3⤵PID:1620
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD508ee454471ea721c84ed2cbbfcbbb71e
SHA15ba28794d9e667f85f89a2580a4c0332b205a3eb
SHA2566d11d70a9749385a198ca0a4c3abc11a61417e36fb0af06dbae4ed7a75a0048d
SHA5120c43658342db738c91ac0db9dfe59b3931fa7f128e4858ddfd158fb4325ed878ebcab4f0e3399bd08166a03359a0e571c15f436880b4c6e4d6d6a12f15ff9f93
-
Filesize
76KB
MD5a5808a09865866df5c1d17b096514a53
SHA1fcae5b835b0214a9e4c7de55482d67c5e6df4a3f
SHA25676dace6745b37da8195b027512addde6edf37485fdb26e20c3b769df0f34a56f
SHA512c2c3ea7a53c4e352a9b304423adf4aaed49e4aa031983c91655c6f9d571f19c53efe395f7d87e9602374f20817fbfd24c4a384c2fb681cdf21587fa8d8bc5dac
-
Filesize
676B
MD516f4ae6d954c5be38e45ec8da15eff7f
SHA11cf345c11711463211e80f981230541310011dcd
SHA25664aff604d9ac9de61f90feec7199ba6db38faea0df4cf15ef34860da7e7f95c9
SHA5128ace4c51c439e339ff35a0f9d7d52fdb465ab7bf7e29659f61cd89a4155950e4dc363a3b252290bc47f1c57a77061645bafce21f43c17d325f893ef8958420a6
-
Filesize
208KB
MD52b14ae8b54d216abf4d228493ceca44a
SHA1d134351498e4273e9d6391153e35416bc743adef
SHA2564e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c
SHA5125761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05
-
Filesize
349B
MD530cdd85f8b74109a85c335d4c8aa1c26
SHA193f8e6d41bb98bbb123dfbe8d9e0a1cb3d39958e
SHA2565591d04f129be9e9d6147c6a2c4eb303e2afdc329bebc2b7a87ae492be042537
SHA512fc560218f644ada2ccd3719160ae6219a6cbf578efa57f6aeb4739096b0c9a6ace2a65965d6166c111081b1b18f2df1e5be7d817aadd6d962b89a11bc880f1d8