Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 16:32
Behavioral task
behavioral1
Sample
05e4debc81b24e42696b6246a0f5ab21.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
05e4debc81b24e42696b6246a0f5ab21.exe
Resource
win10v2004-20231222-en
General
-
Target
05e4debc81b24e42696b6246a0f5ab21.exe
-
Size
10KB
-
MD5
05e4debc81b24e42696b6246a0f5ab21
-
SHA1
5273ca90291090b1ef20e0b615299427545e076c
-
SHA256
c262e243b99902ee2c601d0d623c777c65781e7211a166035bd31d03ba5b7c1a
-
SHA512
20c527cc35d79cb0a25bd80a2ae5344c31b10f2d12754ab7fc3afb06baaaaccb93de564dba4e6b5d80bdb9a14b6e21a767654d0c88281cbbd61908f1bdf4b8ac
-
SSDEEP
192:f1rTjAbiNTYQGrv3g7OGmQp1rbX1VCf31AdLQ:fJ1DGDQ7OGHPnCd
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Deletes itself 1 IoCs
pid Process 2788 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1672 jolenmk.exe -
Loads dropped DLL 2 IoCs
pid Process 1960 05e4debc81b24e42696b6246a0f5ab21.exe 1960 05e4debc81b24e42696b6246a0f5ab21.exe -
resource yara_rule behavioral1/memory/1960-1-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/files/0x000c000000013a83-3.dat upx behavioral1/memory/1960-4-0x00000000002B0000-0x00000000002BF000-memory.dmp upx behavioral1/memory/1672-11-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1960-12-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\jolenm.dll 05e4debc81b24e42696b6246a0f5ab21.exe File created C:\Windows\SysWOW64\jolenmk.exe 05e4debc81b24e42696b6246a0f5ab21.exe File opened for modification C:\Windows\SysWOW64\jolenmk.exe 05e4debc81b24e42696b6246a0f5ab21.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1960 wrote to memory of 1672 1960 05e4debc81b24e42696b6246a0f5ab21.exe 28 PID 1960 wrote to memory of 1672 1960 05e4debc81b24e42696b6246a0f5ab21.exe 28 PID 1960 wrote to memory of 1672 1960 05e4debc81b24e42696b6246a0f5ab21.exe 28 PID 1960 wrote to memory of 1672 1960 05e4debc81b24e42696b6246a0f5ab21.exe 28 PID 1960 wrote to memory of 2788 1960 05e4debc81b24e42696b6246a0f5ab21.exe 30 PID 1960 wrote to memory of 2788 1960 05e4debc81b24e42696b6246a0f5ab21.exe 30 PID 1960 wrote to memory of 2788 1960 05e4debc81b24e42696b6246a0f5ab21.exe 30 PID 1960 wrote to memory of 2788 1960 05e4debc81b24e42696b6246a0f5ab21.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\05e4debc81b24e42696b6246a0f5ab21.exe"C:\Users\Admin\AppData\Local\Temp\05e4debc81b24e42696b6246a0f5ab21.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\jolenmk.exeC:\Windows\system32\jolenmk.exe ˜‰2⤵
- Executes dropped EXE
PID:1672
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\05e4debc81b24e42696b6246a0f5ab21.exe.bat2⤵
- Deletes itself
PID:2788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD53f224fabf8c1f7fe5200cb59317bdfa2
SHA19b1154c0662f9a9eed3ab68acc8d6d47337fd371
SHA2566b07e1eaebb90aa111fb7987395cad5bcb338828baa1ea09f9eebc1bb23a7de2
SHA5125d1416c63a871f1d640673ea8a4b98993ae818a7f1e613f3723168f5cdb176fbf6923d8da8e5ad43641a3fbab909109f2724813ed46f3a1076656efa370c757c
-
Filesize
10KB
MD505e4debc81b24e42696b6246a0f5ab21
SHA15273ca90291090b1ef20e0b615299427545e076c
SHA256c262e243b99902ee2c601d0d623c777c65781e7211a166035bd31d03ba5b7c1a
SHA51220c527cc35d79cb0a25bd80a2ae5344c31b10f2d12754ab7fc3afb06baaaaccb93de564dba4e6b5d80bdb9a14b6e21a767654d0c88281cbbd61908f1bdf4b8ac