Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19/12/2023, 15:52
Static task
static1
Behavioral task
behavioral1
Sample
54e80ee4581f8e2dc067ba5c2828ea65.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
54e80ee4581f8e2dc067ba5c2828ea65.exe
Resource
win10v2004-20231201-en
General
-
Target
54e80ee4581f8e2dc067ba5c2828ea65.exe
-
Size
15KB
-
MD5
54e80ee4581f8e2dc067ba5c2828ea65
-
SHA1
5a894e53fe197e45cea591d2fea63c432aa138e3
-
SHA256
d8830a71c09f8d1260a448dd41fc58a8454ada25d359eb97da4e28cffa6b3f29
-
SHA512
5eca1e6ad53006755605a2f39ef3a43062b659f2cbdc063602708ab94977cb7eebc46b6016d809648d683275bfc6e7c4c5b6f6142eb844ef5285c59f52d9281b
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRd:hDXWipuE+K3/SSHgxh
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2816 DEM741.exe 2616 DEM5D0E.exe 2932 DEMB26E.exe 320 DEM770.exe 1440 DEM5CDF.exe 2544 DEMB1F1.exe -
Loads dropped DLL 6 IoCs
pid Process 2140 54e80ee4581f8e2dc067ba5c2828ea65.exe 2816 DEM741.exe 2616 DEM5D0E.exe 2932 DEMB26E.exe 320 DEM770.exe 1440 DEM5CDF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2816 2140 54e80ee4581f8e2dc067ba5c2828ea65.exe 29 PID 2140 wrote to memory of 2816 2140 54e80ee4581f8e2dc067ba5c2828ea65.exe 29 PID 2140 wrote to memory of 2816 2140 54e80ee4581f8e2dc067ba5c2828ea65.exe 29 PID 2140 wrote to memory of 2816 2140 54e80ee4581f8e2dc067ba5c2828ea65.exe 29 PID 2816 wrote to memory of 2616 2816 DEM741.exe 32 PID 2816 wrote to memory of 2616 2816 DEM741.exe 32 PID 2816 wrote to memory of 2616 2816 DEM741.exe 32 PID 2816 wrote to memory of 2616 2816 DEM741.exe 32 PID 2616 wrote to memory of 2932 2616 DEM5D0E.exe 36 PID 2616 wrote to memory of 2932 2616 DEM5D0E.exe 36 PID 2616 wrote to memory of 2932 2616 DEM5D0E.exe 36 PID 2616 wrote to memory of 2932 2616 DEM5D0E.exe 36 PID 2932 wrote to memory of 320 2932 DEMB26E.exe 37 PID 2932 wrote to memory of 320 2932 DEMB26E.exe 37 PID 2932 wrote to memory of 320 2932 DEMB26E.exe 37 PID 2932 wrote to memory of 320 2932 DEMB26E.exe 37 PID 320 wrote to memory of 1440 320 DEM770.exe 40 PID 320 wrote to memory of 1440 320 DEM770.exe 40 PID 320 wrote to memory of 1440 320 DEM770.exe 40 PID 320 wrote to memory of 1440 320 DEM770.exe 40 PID 1440 wrote to memory of 2544 1440 DEM5CDF.exe 41 PID 1440 wrote to memory of 2544 1440 DEM5CDF.exe 41 PID 1440 wrote to memory of 2544 1440 DEM5CDF.exe 41 PID 1440 wrote to memory of 2544 1440 DEM5CDF.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\54e80ee4581f8e2dc067ba5c2828ea65.exe"C:\Users\Admin\AppData\Local\Temp\54e80ee4581f8e2dc067ba5c2828ea65.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\DEM741.exe"C:\Users\Admin\AppData\Local\Temp\DEM741.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\DEM5D0E.exe"C:\Users\Admin\AppData\Local\Temp\DEM5D0E.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\DEMB26E.exe"C:\Users\Admin\AppData\Local\Temp\DEMB26E.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\DEM770.exe"C:\Users\Admin\AppData\Local\Temp\DEM770.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Local\Temp\DEM5CDF.exe"C:\Users\Admin\AppData\Local\Temp\DEM5CDF.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\DEMB1F1.exe"C:\Users\Admin\AppData\Local\Temp\DEMB1F1.exe"7⤵
- Executes dropped EXE
PID:2544
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5f81856fbd3c36b73c7d52d32831f1c6c
SHA162173c6f7e3926935ed43a6f727e02c197df8684
SHA2568af719b65a8be7c47d5731bc9932ffb3dc9a655153416d2e3a7eb314f983cd38
SHA512584f978d94d503bdeb1070552f878736a3ef7fbffd7be2b58fef57617c323f268bd902fc54de9661d564ba7c0d92db80a1b34058a9f07aed21dd3836047487e6
-
Filesize
15KB
MD5b139160092c102867d5e5ffa06136bfe
SHA184f240d26051f265fb513b0202c4257d392ab87b
SHA25671871ce3cfbd1e4e19b8c8b72bf71c633367ad5868b9b9ac4601c17b59775228
SHA512d84d3d83aa8e1a5121ace4f2c9ffc917e64b6bd0a59474dd5074f05fb341e37ec390478e3037351c3e05061fa8e20a1575dc862285ccca251f933f087aea2749
-
Filesize
15KB
MD59beb53213c4ceb7cf2b6b0e4783b3e41
SHA1d9fd18ff35d1d3a33675ac126c87d28d7d5cc433
SHA25699636b02c5e0ff2482a76d30b5e2c3281d93c6a96ea053dcde880e3ced8f70e2
SHA5126b6c3fa6d7e02976053dd7a06046f8281058b51e436935af8d29f10389ded9e3b06cd3dd5cf13a30a5dc5f197f538f0ece4ec90d5ed89429a9c32fb91c3c1fc9
-
Filesize
15KB
MD5aa7a03b1e6b544ea04fef54da1eed91d
SHA11b854fe74de78783a1c675ab25320e3346c6d769
SHA256a6471dab84f01a6e385e61ffb8d804448283be4035e113c3dedc6a00ab5aae21
SHA5124b4a28014c7d6bfc3beaeac86c12e8de506ee17de6f2ae36def97132f9aafe6188f35e62222a9734d73a6cb9be80dbd7974629fce9784edf7fa686020fa54d99
-
Filesize
15KB
MD590d5792058edef672f17995ee9a759b6
SHA1d13490295ca3bf0a8d25705255653bba79454689
SHA256ccc9abed5fd32087bef272371f17c1b1d320909f454cb132c01ec403d57ec03d
SHA512dc78482cc452bb7478b74767b22e2ef9b6f691892a888c7977afa4264d53ec4f3f0a285d7c8a3fc1ac682a4a900c9d0fb4b4d557f18df8990bb05248980be47e
-
Filesize
15KB
MD5c12c8ea38235a45c5e44a37811e9fa03
SHA1da2bc1c6af2d17055b01573e8e202e06e028f7ba
SHA256045b069f665e054707d32c2f513b4e19292ad7372ae82245f4bc259dd7f07448
SHA5127607ef376a5a392386a09897e8f65e2b87592a98e6ea0bf94fde4940e5ca83e7e1d6f239cd7ae098dbcaa2227a0782bebf9450944570fdde78306274d40a28dd