Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 14:34
Behavioral task
behavioral1
Sample
c6a9a50cd834e9c44aee30cafaabbdc8.exe
Resource
win7-20231129-en
General
-
Target
c6a9a50cd834e9c44aee30cafaabbdc8.exe
-
Size
784KB
-
MD5
c6a9a50cd834e9c44aee30cafaabbdc8
-
SHA1
3fe490e6aa55e65d4ad79b50a1df740fd2bf1e26
-
SHA256
9cb86dc9d1e9b019372c24a5584e0beae34a0eada2391c2a14b2d7f4bc3d378b
-
SHA512
c39a653aa6c87c1904facca5be04db9097dda0b34bc6a76f8c5a2def7b1893cd8053a802d77a63438d7eed5e2e8ec542019d652fe872bb5a8af3b6f96896fdd8
-
SSDEEP
24576:pe+8J7mq/IH2FtJKCIqAwbf5UdbdpnHx4M:pcAH2FqHw75unHm
Malware Config
Signatures
-
XMRig Miner payload 8 IoCs
resource yara_rule behavioral1/memory/2040-1-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/1988-27-0x00000000030A0000-0x0000000003233000-memory.dmp xmrig behavioral1/memory/1988-35-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/1988-34-0x00000000005A0000-0x000000000071F000-memory.dmp xmrig behavioral1/memory/1988-24-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/1988-18-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2040-15-0x0000000003250000-0x0000000003562000-memory.dmp xmrig behavioral1/memory/2040-14-0x0000000000400000-0x0000000000593000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 1988 c6a9a50cd834e9c44aee30cafaabbdc8.exe -
Executes dropped EXE 1 IoCs
pid Process 1988 c6a9a50cd834e9c44aee30cafaabbdc8.exe -
Loads dropped DLL 1 IoCs
pid Process 2040 c6a9a50cd834e9c44aee30cafaabbdc8.exe -
resource yara_rule behavioral1/memory/2040-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral1/files/0x000b0000000139e0-10.dat upx behavioral1/memory/1988-17-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral1/files/0x000b0000000139e0-16.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2040 c6a9a50cd834e9c44aee30cafaabbdc8.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2040 c6a9a50cd834e9c44aee30cafaabbdc8.exe 1988 c6a9a50cd834e9c44aee30cafaabbdc8.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1988 2040 c6a9a50cd834e9c44aee30cafaabbdc8.exe 29 PID 2040 wrote to memory of 1988 2040 c6a9a50cd834e9c44aee30cafaabbdc8.exe 29 PID 2040 wrote to memory of 1988 2040 c6a9a50cd834e9c44aee30cafaabbdc8.exe 29 PID 2040 wrote to memory of 1988 2040 c6a9a50cd834e9c44aee30cafaabbdc8.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6a9a50cd834e9c44aee30cafaabbdc8.exe"C:\Users\Admin\AppData\Local\Temp\c6a9a50cd834e9c44aee30cafaabbdc8.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\c6a9a50cd834e9c44aee30cafaabbdc8.exeC:\Users\Admin\AppData\Local\Temp\c6a9a50cd834e9c44aee30cafaabbdc8.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1988
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD556dbfb791ab0cb4576520a46dfd72eaf
SHA1c8069aaf75df11050fe0a2b93f9e4d606a4eabcd
SHA2560fc8f63c304c2eeb09122402cb95e032a6ae2a8e64e35caa79af1d49a1371c0c
SHA512411e2282ad2509df9da27030dca3b0eb593e8acf62ff268b93dc2e0a065fb90854a1205057363d757ce0ce4fd1f036f44d5103f6928f1c9d2346085d828bac1f
-
Filesize
784KB
MD5dbdabe165fae9315c65badd1e159e78a
SHA13a5d5633331159e062a2d1c3afb38ee29fee2eda
SHA256a8899bccade8614742d868dbc6f9d5f3191a4f1c2f13f8b9272ecbbaeab641e8
SHA51220d434abe9091dc9fe733379b70fc15563f4148974fa4e5809f7fefc3ea4bc8a179403d0f0826cc279839b3254e69d333cb851dd615e93138e0844aa24546683