Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
11s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 05:48
Behavioral task
behavioral1
Sample
72de7a1e06392946dbda10750c60318b.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
72de7a1e06392946dbda10750c60318b.exe
Resource
win10v2004-20231215-en
General
-
Target
72de7a1e06392946dbda10750c60318b.exe
-
Size
2.6MB
-
MD5
72de7a1e06392946dbda10750c60318b
-
SHA1
b4fb0788605a63bb9d32d67f69d845fca7b9741b
-
SHA256
9d12a2495919f42e952ebe1cd38785c912a639e92ead179081891027d1b87863
-
SHA512
456cc5cf2bfd10998c312b4573c11b336b4b749aaeaad1de62ed040de2ed474785507cae7fbb731b6bee752afc09ce520e34c6f6036f4e1394f5918de2af7544
-
SSDEEP
49152:NKydJAg5zPvhSPKuqk1vyXJ6ytJHOday3:nHuK5JSd3
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2284 72de7a1e06392946dbda10750c60318b.exe -
Executes dropped EXE 1 IoCs
pid Process 2284 72de7a1e06392946dbda10750c60318b.exe -
Loads dropped DLL 1 IoCs
pid Process 1680 72de7a1e06392946dbda10750c60318b.exe -
resource yara_rule behavioral1/memory/1680-1-0x0000000000400000-0x0000000000D9E000-memory.dmp upx behavioral1/files/0x000900000001447e-14.dat upx behavioral1/files/0x000900000001447e-13.dat upx behavioral1/files/0x000900000001447e-11.dat upx -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 72de7a1e06392946dbda10750c60318b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 72de7a1e06392946dbda10750c60318b.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1680 72de7a1e06392946dbda10750c60318b.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1680 72de7a1e06392946dbda10750c60318b.exe 2284 72de7a1e06392946dbda10750c60318b.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2284 1680 72de7a1e06392946dbda10750c60318b.exe 17 PID 1680 wrote to memory of 2284 1680 72de7a1e06392946dbda10750c60318b.exe 17 PID 1680 wrote to memory of 2284 1680 72de7a1e06392946dbda10750c60318b.exe 17 PID 1680 wrote to memory of 2284 1680 72de7a1e06392946dbda10750c60318b.exe 17
Processes
-
C:\Users\Admin\AppData\Local\Temp\72de7a1e06392946dbda10750c60318b.exe"C:\Users\Admin\AppData\Local\Temp\72de7a1e06392946dbda10750c60318b.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\72de7a1e06392946dbda10750c60318b.exeC:\Users\Admin\AppData\Local\Temp\72de7a1e06392946dbda10750c60318b.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2284
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD525bf98c1c4a9ad121e15f63b592dc0f4
SHA12ba83b06924f85d14d19aa14e768a1bb87286a27
SHA25625d053f543f06e8a6789d4dfdf7c13ebccfaa26ce3264a9c649489bccbcf9166
SHA5121b4bd4944a42fbfab2aa46586516ef05999ac3b569ed3e016f67d14416e3989366f7382cb17cc6ce5bc890361b2cb60dcf0638fe5bb7ea1b5daf0e28b23f4719
-
Filesize
39KB
MD5222069e73b50baa310f80ab694de3de2
SHA1e25eec91fed06edc698a2be9334208df6ba88901
SHA256405112162b0d2bf1e37d70fe501569492e7ba816d3b9fd8472f1c0d0238595a6
SHA5124c3c11558323f426eb2936b5a96a2cbbfcd2ec1a7362fd0d9a457bc51ce09f82a0fc8089971be5b3a91084289f2af52de9f92a0be136541223c260f1712f7383
-
Filesize
92KB
MD5068295a2345159cdfcb47ba5d91b4863
SHA15a4e9ec262fc05ce6c19deba829c8ec67cc7688f
SHA256389aede65429df24c4ca1d970db355c75d9316526cf82a7cad59b2c478b28a48
SHA5124759d467171642b731ef2643b3b9e74e9e791e176c43eac3c63ec78806dc9507b693eaf48beaa7fafe925b922825eec135cc2f01e9118d63ee72df51ec5f274c