Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 17:07
Behavioral task
behavioral1
Sample
fb74545217334bfa2f3cb43fc264e268.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
fb74545217334bfa2f3cb43fc264e268.exe
Resource
win10v2004-20231215-en
General
-
Target
fb74545217334bfa2f3cb43fc264e268.exe
-
Size
2.9MB
-
MD5
fb74545217334bfa2f3cb43fc264e268
-
SHA1
54ec90eeb75c7ea3f1650c07cc0a861526867476
-
SHA256
248d1f2e4137c8397f44d7aeb3e46b194675304e421e12522c8c7afbba026935
-
SHA512
4fd15017101eb7b22fba3486ca3e3cfe0295743ae9d009558f4ac6b769ef9aaf49b6cb04a5a4007e853a04afcd0c803f3c7b0bd828ce6a4d1a374299bfdcd83e
-
SSDEEP
49152:7wVHSYKHqDDM9H+BhbndPpDVj9rFh6a7m2Ya2xn+95xy+xrKrdHWqPLD3g:7ay5qU9yf/BFh6iRYzxn+cErKrd2+g
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2672 fb74545217334bfa2f3cb43fc264e268.exe -
Executes dropped EXE 1 IoCs
pid Process 2672 fb74545217334bfa2f3cb43fc264e268.exe -
Loads dropped DLL 1 IoCs
pid Process 1448 fb74545217334bfa2f3cb43fc264e268.exe -
resource yara_rule behavioral1/memory/1448-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000c000000012329-13.dat upx behavioral1/files/0x000c000000012329-12.dat upx behavioral1/files/0x000c000000012329-10.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1448 fb74545217334bfa2f3cb43fc264e268.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1448 fb74545217334bfa2f3cb43fc264e268.exe 2672 fb74545217334bfa2f3cb43fc264e268.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1448 wrote to memory of 2672 1448 fb74545217334bfa2f3cb43fc264e268.exe 28 PID 1448 wrote to memory of 2672 1448 fb74545217334bfa2f3cb43fc264e268.exe 28 PID 1448 wrote to memory of 2672 1448 fb74545217334bfa2f3cb43fc264e268.exe 28 PID 1448 wrote to memory of 2672 1448 fb74545217334bfa2f3cb43fc264e268.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb74545217334bfa2f3cb43fc264e268.exe"C:\Users\Admin\AppData\Local\Temp\fb74545217334bfa2f3cb43fc264e268.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\fb74545217334bfa2f3cb43fc264e268.exeC:\Users\Admin\AppData\Local\Temp\fb74545217334bfa2f3cb43fc264e268.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2672
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD58a0564c85b189ee2ff54ab1d101c9e1d
SHA105849ac69c10244b6a7aaa4ab03850d33f6b6ad9
SHA2569726153f29debd60534193ed6a7e051e0fb6445a7390b15d0ec2322714822ec9
SHA512d5bf72cb814d9155a3ae41efa3f9d87529536ffb7576237f921823c9d30b87454b37618275177c75080b929e20340e78e843a0bb5e1d29d55c2fa6f017e073a9
-
Filesize
255KB
MD5390c5aecdd0601b66565dbf8cff65462
SHA18be8ea464f33bac3741acd6f83671e3bdda228c8
SHA2567151513ec987acdeb89fa95c1fa8b7916ac85721c03aca0d4b0bfbf32ff2e247
SHA512dd474d0689043171d365943df4649847a615bc7f2e2b34afc7500f982f7099f6c41e81a19ee92c3b890797d0e302834cae896a19ed0c9b63d393934ec6f26d25
-
Filesize
325KB
MD5c74c15e41f81c1ee9e8642ad296ae969
SHA1e86226ce97eee204f7729c25479d7c33fb850501
SHA25627002fcb53c9aec26b9279c2a3f60b56c48af01a6858d916f3db7a34ca7542ba
SHA512f15e43477eded4e3eb102166b1fdd01eac5f74e2598bb0da29e4a333440eed28048dc86eeec626cadc4c81f5f5cf74dd00aded38192b064063ec98bcd816cf29