Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 22:48
Static task
static1
Behavioral task
behavioral1
Sample
16e8cbef6a9686ef140df6ea72ca7e91.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
16e8cbef6a9686ef140df6ea72ca7e91.exe
Resource
win10v2004-20231215-en
General
-
Target
16e8cbef6a9686ef140df6ea72ca7e91.exe
-
Size
878KB
-
MD5
16e8cbef6a9686ef140df6ea72ca7e91
-
SHA1
d8561e4a7be2f96a8390746f30f2c33aa5609b65
-
SHA256
239c15afefb695afbdb1a5594b1932d8b7ed6ae52316510f96eaf06d93d7f637
-
SHA512
b7698b65f6bf954a950a1c890da7e8aa758c5c4f83cd5429c57cf702c22ef9b1ec380f3b7319252330d9eae87ae2bb5c080278b90ac64638257663424a55ad5f
-
SSDEEP
24576:Mrb6BeG7lxoGMr8nYWHMLIuSPZArUWX0HAq5nsUHJRROkf:+DGBnlHMLIxZArU0kdBsGJ/P
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3060 b014b9dfac72f558d25c1c44d4bf5652.exe -
Loads dropped DLL 2 IoCs
pid Process 2040 16e8cbef6a9686ef140df6ea72ca7e91.exe 2040 16e8cbef6a9686ef140df6ea72ca7e91.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2040 wrote to memory of 3060 2040 16e8cbef6a9686ef140df6ea72ca7e91.exe 28 PID 2040 wrote to memory of 3060 2040 16e8cbef6a9686ef140df6ea72ca7e91.exe 28 PID 2040 wrote to memory of 3060 2040 16e8cbef6a9686ef140df6ea72ca7e91.exe 28 PID 2040 wrote to memory of 3060 2040 16e8cbef6a9686ef140df6ea72ca7e91.exe 28 PID 2040 wrote to memory of 3060 2040 16e8cbef6a9686ef140df6ea72ca7e91.exe 28 PID 2040 wrote to memory of 3060 2040 16e8cbef6a9686ef140df6ea72ca7e91.exe 28 PID 2040 wrote to memory of 3060 2040 16e8cbef6a9686ef140df6ea72ca7e91.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\16e8cbef6a9686ef140df6ea72ca7e91.exe"C:\Users\Admin\AppData\Local\Temp\16e8cbef6a9686ef140df6ea72ca7e91.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\b014b9dfac72f558d25c1c44d4bf5652.exeC:\Users\Admin\AppData\Local\Temp\b014b9dfac72f558d25c1c44d4bf5652.exe2⤵
- Executes dropped EXE
PID:3060
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
778KB
MD59b2f7e680d811e22d3d9c25d4b3190ef
SHA1cade75e9eeebc918167941a5fc06e62b0f1b5d12
SHA256247d863a3328ff308da71b6d5dc4b7cdab283c59d3582e398066d6ce1c41279a
SHA51287325695b342c4f386877e6633a53356dd8a3101ab5997b71fc12886203b16caa2bd1f659cdb6032a59ec24b8acc63621e9512a0d0d4b846fb38a36e2d6869ea
-
Filesize
6KB
MD58ca09b6200ffa05b54c6672d855beb4a
SHA1daa16fe49c8b2250e9d2383b861cda51f876de49
SHA256033e93ad470241c92762924ccfceafb849a525e263e5d4a3dbcfc2e07a8803c3
SHA5126ab97181ec45430888d8ad3fd411de22423e1c057833e282af085a975198338c95f7ba10b7c69f33298afc88ddd38d01ab010998fd4a8ba8abb8561796bf9f14