Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
2s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 00:03
Static task
static1
Behavioral task
behavioral1
Sample
1b854ff428d213cf6027aabf80f94008.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1b854ff428d213cf6027aabf80f94008.exe
Resource
win10v2004-20231215-en
General
-
Target
1b854ff428d213cf6027aabf80f94008.exe
-
Size
1000KB
-
MD5
1b854ff428d213cf6027aabf80f94008
-
SHA1
b3c7eb47bc161d0069c546daa35a46648b70f2cd
-
SHA256
aa6a25721fa4a71e939f88c09bde15b1b1d8097a8ff39b11bac0b7edfa4a0d80
-
SHA512
a94de60ecc30e9787ef0c1e22016eb9da71579139d2db9c82208fbd068bda7ffe0faccf1859e052852d31a45e82430079c82ebd82235a1a0add784d25e8aed23
-
SSDEEP
24576:aKd2/xq6VecWfa5sHGdqRDoeY7d15ipq1B+5vMiqt0gj2ed:ZY/xq64Vfa5sHGdqRDoeY7dvipgqOL
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1724 1b854ff428d213cf6027aabf80f94008.exe -
Executes dropped EXE 1 IoCs
pid Process 1724 1b854ff428d213cf6027aabf80f94008.exe -
Loads dropped DLL 1 IoCs
pid Process 1876 1b854ff428d213cf6027aabf80f94008.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1724 1b854ff428d213cf6027aabf80f94008.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2888 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1724 1b854ff428d213cf6027aabf80f94008.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1876 1b854ff428d213cf6027aabf80f94008.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1876 1b854ff428d213cf6027aabf80f94008.exe 1724 1b854ff428d213cf6027aabf80f94008.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1876 wrote to memory of 1724 1876 1b854ff428d213cf6027aabf80f94008.exe 16 PID 1876 wrote to memory of 1724 1876 1b854ff428d213cf6027aabf80f94008.exe 16 PID 1876 wrote to memory of 1724 1876 1b854ff428d213cf6027aabf80f94008.exe 16 PID 1876 wrote to memory of 1724 1876 1b854ff428d213cf6027aabf80f94008.exe 16 PID 1724 wrote to memory of 2888 1724 1b854ff428d213cf6027aabf80f94008.exe 15 PID 1724 wrote to memory of 2888 1724 1b854ff428d213cf6027aabf80f94008.exe 15 PID 1724 wrote to memory of 2888 1724 1b854ff428d213cf6027aabf80f94008.exe 15 PID 1724 wrote to memory of 2888 1724 1b854ff428d213cf6027aabf80f94008.exe 15
Processes
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe" /TN Google_Trk_Updater /F1⤵
- Creates scheduled task(s)
PID:2888
-
C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exeC:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1724
-
C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe"C:\Users\Admin\AppData\Local\Temp\1b854ff428d213cf6027aabf80f94008.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5bd4e44f896906fe1a44073d359c7652c
SHA1d8bffb5b4fa1d90c69df0bbbc8c1c10c1ca99d64
SHA256d52f0964f917d80049e4fe2111b2b8811b074199d355382f1ba83345cb84ebf9
SHA512a255c04238d0e5a41bd800e6d86275a8fab83ea63051b09dfb645beb89bfd901e1172f4de2a8f275e83f87c76c52b54a63cd1cfa1a8b1fe52e44e77b1c33bb99
-
Filesize
5KB
MD5cda6cd8278faa9dc7d7221c396481e93
SHA11abe3dc819375dcbcf9e5fa62500b7ebca415293
SHA25638e42d2e7cab60ff793f492ccf40267414dc1ff82202b428884a53be48a583fe
SHA51261ef1e3f08d5a77c50f511a2e0d46a505574c16078d302bd4053c08a370a83eb9d011adba297a603658241106e6c4f1d9db9f8ec55dddcdb43ca77423ab4c119
-
Filesize
92KB
MD571e4ce8b3a1b89f335a6936bbdafce4c
SHA16e0d450eb5f316a9924b3e58445b26bfb727001e
SHA256a5edfae1527d0c8d9fe5e7a2c5c21b671e61f9981f3bcf9e8cc9f9bb9f3b44c5
SHA512b80af88699330e1ff01e409daabdedeef350fe7d192724dfa8622afa71e132076144175f6e097f8136f1bba44c7cb30cfdd0414dbe4e0a4712b3bad7b70aeff7
-
Filesize
70KB
MD59c394e897335e1b2dbed7e9a05972dc5
SHA1715860e592c70e849806baf9eda210453005aa74
SHA256163c4531b874c7a62c2aa1b4e4d767a77e1c1a64f7f48b241aa00771d7c19531
SHA5121c878c28eee5a36b63f68edd5e52aefcab6ed439256c6e8106647bcde812351e7e2bfd46bd2f00e1ff3e844cebe54537f5260b8b8d9659a27442734643a19dd1