Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 13:19
Behavioral task
behavioral1
Sample
9ee4059d1c9ae9597e4623aa54eac9af.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9ee4059d1c9ae9597e4623aa54eac9af.exe
Resource
win10v2004-20231215-en
General
-
Target
9ee4059d1c9ae9597e4623aa54eac9af.exe
-
Size
1.3MB
-
MD5
9ee4059d1c9ae9597e4623aa54eac9af
-
SHA1
a6a8f547cfb9c2eaa21651cd90ec17b7b6065c80
-
SHA256
c6eaebad13292d911cf4aa9b576d4f6d56ee7132ff1d425eae109de557f9152f
-
SHA512
71ece6adf20fdb553981a0b5880f3abcfdf8c6a94049eec800a215e543834a95d31082e3dc8f93cc1f387298a02282c7c83f04ce356bf55b63dafc2830179033
-
SSDEEP
24576:gQOJ5rL4avAzWXNVCQG4QWaTli9cNSFlIjpjpKj1RjVb2bUj8Kr0vG:2dLR3VFmJidFlQNKBLAo8K
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2680 9ee4059d1c9ae9597e4623aa54eac9af.exe -
Executes dropped EXE 1 IoCs
pid Process 2680 9ee4059d1c9ae9597e4623aa54eac9af.exe -
Loads dropped DLL 1 IoCs
pid Process 3048 9ee4059d1c9ae9597e4623aa54eac9af.exe -
resource yara_rule behavioral1/memory/3048-0-0x0000000000400000-0x000000000086A000-memory.dmp upx behavioral1/files/0x00090000000120e1-11.dat upx behavioral1/files/0x00090000000120e1-14.dat upx behavioral1/memory/3048-15-0x00000000033F0000-0x000000000385A000-memory.dmp upx behavioral1/memory/2680-17-0x0000000000400000-0x000000000086A000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3048 9ee4059d1c9ae9597e4623aa54eac9af.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3048 9ee4059d1c9ae9597e4623aa54eac9af.exe 2680 9ee4059d1c9ae9597e4623aa54eac9af.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2680 3048 9ee4059d1c9ae9597e4623aa54eac9af.exe 28 PID 3048 wrote to memory of 2680 3048 9ee4059d1c9ae9597e4623aa54eac9af.exe 28 PID 3048 wrote to memory of 2680 3048 9ee4059d1c9ae9597e4623aa54eac9af.exe 28 PID 3048 wrote to memory of 2680 3048 9ee4059d1c9ae9597e4623aa54eac9af.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ee4059d1c9ae9597e4623aa54eac9af.exe"C:\Users\Admin\AppData\Local\Temp\9ee4059d1c9ae9597e4623aa54eac9af.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\9ee4059d1c9ae9597e4623aa54eac9af.exeC:\Users\Admin\AppData\Local\Temp\9ee4059d1c9ae9597e4623aa54eac9af.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2680
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5befdce6cf9e13be0788797a53e30b3fb
SHA1e70cc94289ae2d76b848e0bd6b0183246b00a2db
SHA256768a3ef1cfb944fd0d8cfff1b0f495df69d9c46ae5d4f595cabe73c012371d37
SHA512e5f9c6575232319b9530296f89e9b70bf22fe6361950480ac3ca54f3955cbbeab3c8a41750fbb89e9da9edfc969665a01937017daa3b860e6755389577c27962
-
Filesize
832KB
MD5a3c8b19bdcd2e20921c8aef7157ec42c
SHA161c5ea24b469d6b83dc47ff3043a798e7d237285
SHA2563d7c449539a55d1133ec01cfc11abddb12fac3f91e0f4c576d44403812623ff4
SHA51235f2806f9e4ecbc8bccd39817b273b3d78b0cc386b9b9ee98ec84ce08b1ec709180cc41a0e6078ffcdbc85f82d0541c87f30fee4de3b9295ea96286edae0bc94