Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 14:16
Behavioral task
behavioral1
Sample
bd1c36706cfc47d8240c8e7a257c166a.exe
Resource
win7-20231215-en
General
-
Target
bd1c36706cfc47d8240c8e7a257c166a.exe
-
Size
784KB
-
MD5
bd1c36706cfc47d8240c8e7a257c166a
-
SHA1
aea961de8f20b475de061b081458b839d635af1a
-
SHA256
9e5f091aa8f2b09aa78741f007f895adc2d99a83a29a64cba4479a289cbde447
-
SHA512
3c2ffb43f37bad2225c0460771854437e5721abfb557b62dbaec3c18ef280b92457044ea08d439c565d64b06346272d632de1ac42ebc389a84517c6da87e6554
-
SSDEEP
12288:BhBtgPOIBMOTF2Af2VNY0ZWLQmF0pynUQifM70UNTsei1yrjGwX3c5OG5a:PQFDjau0GEpZ2VNIwPG15OG
Malware Config
Signatures
-
XMRig Miner payload 9 IoCs
resource yara_rule behavioral1/memory/1668-1-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/1668-16-0x00000000030F0000-0x0000000003402000-memory.dmp xmrig behavioral1/memory/2656-17-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2656-18-0x0000000000400000-0x0000000000712000-memory.dmp xmrig behavioral1/memory/1668-15-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2656-26-0x0000000002FD0000-0x0000000003163000-memory.dmp xmrig behavioral1/memory/2656-24-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/2656-35-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/2656-34-0x00000000005A0000-0x000000000071F000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 2656 bd1c36706cfc47d8240c8e7a257c166a.exe -
Executes dropped EXE 1 IoCs
pid Process 2656 bd1c36706cfc47d8240c8e7a257c166a.exe -
Loads dropped DLL 1 IoCs
pid Process 1668 bd1c36706cfc47d8240c8e7a257c166a.exe -
resource yara_rule behavioral1/memory/1668-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral1/files/0x00070000000122c9-10.dat upx behavioral1/files/0x00070000000122c9-14.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1668 bd1c36706cfc47d8240c8e7a257c166a.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1668 bd1c36706cfc47d8240c8e7a257c166a.exe 2656 bd1c36706cfc47d8240c8e7a257c166a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1668 wrote to memory of 2656 1668 bd1c36706cfc47d8240c8e7a257c166a.exe 29 PID 1668 wrote to memory of 2656 1668 bd1c36706cfc47d8240c8e7a257c166a.exe 29 PID 1668 wrote to memory of 2656 1668 bd1c36706cfc47d8240c8e7a257c166a.exe 29 PID 1668 wrote to memory of 2656 1668 bd1c36706cfc47d8240c8e7a257c166a.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd1c36706cfc47d8240c8e7a257c166a.exe"C:\Users\Admin\AppData\Local\Temp\bd1c36706cfc47d8240c8e7a257c166a.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\bd1c36706cfc47d8240c8e7a257c166a.exeC:\Users\Admin\AppData\Local\Temp\bd1c36706cfc47d8240c8e7a257c166a.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2656
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD5514dca436a6b2b51c424d1f94b0ead3f
SHA1619ab43e6f9bc67461efc61fa191a921bd8da98e
SHA256a5d46551658371f6f76717cd3ca8f832aa9d5846fd36a0b58b26da8cb58aba0b
SHA5123d9d716be15dd20297e6f666f716a2d902d4094b17ddcf45aa9afdbaf29369a5e89312d2c7a0527a32b275b2cbf721882c0d983d11c5bf4272a4f884d20eaea6
-
Filesize
64KB
MD5ec01f79eab506c22aa3237dcb7bbab22
SHA1b1b9754b9b69e2fbdd8fb0053381e2313ca11fbb
SHA256ea2923cdeea7690f16640728e8e75cddfa964dd14f9e4db44117037f18707861
SHA512e428b4377435d494b6f0cceff84590a6b4dd8179ef062283d04c912d2e23b021b63868106f9d3231cbc596b15d0592e566edf7797ca5060a1834011960d56fd7