Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 15:53
Behavioral task
behavioral1
Sample
e303d62bb2216397fb1374bcdf6225cf.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
e303d62bb2216397fb1374bcdf6225cf.exe
Resource
win10v2004-20231215-en
General
-
Target
e303d62bb2216397fb1374bcdf6225cf.exe
-
Size
1.5MB
-
MD5
e303d62bb2216397fb1374bcdf6225cf
-
SHA1
711a9d500518047d13d3856d00ec1550b6284463
-
SHA256
7a6c79bb8ad2a4988074a3617aac723db1684ad3161c80551cfc0b943cbf25ae
-
SHA512
1d5c4350ed1b4ca52c09286f0f6fcfd187a33dadba3353d85da09ab681116c11a3164a0d32d93cc3c376104f09cb7640858a171a957460218431942accce33be
-
SSDEEP
24576:ukiqO/G0KD/cDxBncaz0OTFvq5jGqMPDH/uV2Q8s3iOsO6AX4rzsW:ukivNKD/YxBnPxvPr/uks3i3O6AWs
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2608 e303d62bb2216397fb1374bcdf6225cf.exe -
Executes dropped EXE 1 IoCs
pid Process 2608 e303d62bb2216397fb1374bcdf6225cf.exe -
Loads dropped DLL 1 IoCs
pid Process 1044 e303d62bb2216397fb1374bcdf6225cf.exe -
resource yara_rule behavioral1/memory/1044-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000a000000012243-10.dat upx behavioral1/files/0x000a000000012243-12.dat upx behavioral1/memory/2608-16-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000a000000012243-13.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1044 e303d62bb2216397fb1374bcdf6225cf.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1044 e303d62bb2216397fb1374bcdf6225cf.exe 2608 e303d62bb2216397fb1374bcdf6225cf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1044 wrote to memory of 2608 1044 e303d62bb2216397fb1374bcdf6225cf.exe 28 PID 1044 wrote to memory of 2608 1044 e303d62bb2216397fb1374bcdf6225cf.exe 28 PID 1044 wrote to memory of 2608 1044 e303d62bb2216397fb1374bcdf6225cf.exe 28 PID 1044 wrote to memory of 2608 1044 e303d62bb2216397fb1374bcdf6225cf.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\e303d62bb2216397fb1374bcdf6225cf.exe"C:\Users\Admin\AppData\Local\Temp\e303d62bb2216397fb1374bcdf6225cf.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\e303d62bb2216397fb1374bcdf6225cf.exeC:\Users\Admin\AppData\Local\Temp\e303d62bb2216397fb1374bcdf6225cf.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2608
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD538bb594aba2635f21b7621ebfff33b26
SHA19675a7903587afea50e034e2cb001414b4bd44df
SHA2560e88784d3cd083c747377fe358c025fb71cee95f2d0e5181bf228fb970de528b
SHA512a38355fa0e3a1ff91a3a04bcc6482b4ca7bf0f45f39a3e9c3d6446d4cad9c0c4a516bb7425beb36542e2cf10910a6c8267b1e864a7882c0d78470daf7c0e3420
-
Filesize
93KB
MD52388e61a13006636d13ee064724e30f8
SHA187a2ba116af447dab17eff06969a4b6289a12c55
SHA256f1bfe1d74d30e9f097f037a5b124cbff03ab21f00a2b5f1a00e13cd3e69fd5f0
SHA512ff812e29377c03f3e002c9e1b047fc182f6b15f9d74c31d32bd576b513efdf15d9368c7884949db113ffbc4d00099164e7820ca9845e1caa7f7f5a2b75a1a91d
-
Filesize
126KB
MD5702e14980d20bc87d2bc89ec953c0a8e
SHA108422f264abbafe2989a181485f8816514b5f8ad
SHA2564b66793176d5e199620e8e9d6ea7b3fc17abca9f306f7e563cc39ecf4ec16785
SHA512647eca294e4e7dc91bafec12717042784f039a8a6817032accccca10d83679530565ab697e8593a04aeb2382f78a2630ec3db0586d889773303a3d35c418cdfa