Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 03:02
Static task
static1
Behavioral task
behavioral1
Sample
01a16e5a927bcfa66d0e014fee748a5c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
01a16e5a927bcfa66d0e014fee748a5c.exe
Resource
win10v2004-20231215-en
General
-
Target
01a16e5a927bcfa66d0e014fee748a5c.exe
-
Size
506KB
-
MD5
01a16e5a927bcfa66d0e014fee748a5c
-
SHA1
455a8f22f3040757465bb5246ba9253369eeb99e
-
SHA256
d5121b281c7965d9ba78574cdfda0bd52fb3515220085ebb0deab338e65bf3a3
-
SHA512
e181f918818de8fc10283575439699ae288ede252fd0544a5fa73b220f95ce32e5088c350ce104bf0e83e1293f25eb20a10e8edebb4f2bd4e49aca1d3754be74
-
SSDEEP
12288:ViW/r/oynJzjnt4ssYMtQVzjcHRoBfNEHfAT:VicrQYzt4s+tW3cHRo7EoT
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3048 01a16e5a927bcfa66d0e014fee748a5c.exe -
Executes dropped EXE 1 IoCs
pid Process 3048 01a16e5a927bcfa66d0e014fee748a5c.exe -
Loads dropped DLL 1 IoCs
pid Process 1616 01a16e5a927bcfa66d0e014fee748a5c.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3048 01a16e5a927bcfa66d0e014fee748a5c.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2820 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3048 01a16e5a927bcfa66d0e014fee748a5c.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1616 01a16e5a927bcfa66d0e014fee748a5c.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1616 01a16e5a927bcfa66d0e014fee748a5c.exe 3048 01a16e5a927bcfa66d0e014fee748a5c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1616 wrote to memory of 3048 1616 01a16e5a927bcfa66d0e014fee748a5c.exe 16 PID 1616 wrote to memory of 3048 1616 01a16e5a927bcfa66d0e014fee748a5c.exe 16 PID 1616 wrote to memory of 3048 1616 01a16e5a927bcfa66d0e014fee748a5c.exe 16 PID 1616 wrote to memory of 3048 1616 01a16e5a927bcfa66d0e014fee748a5c.exe 16 PID 3048 wrote to memory of 2820 3048 01a16e5a927bcfa66d0e014fee748a5c.exe 15 PID 3048 wrote to memory of 2820 3048 01a16e5a927bcfa66d0e014fee748a5c.exe 15 PID 3048 wrote to memory of 2820 3048 01a16e5a927bcfa66d0e014fee748a5c.exe 15 PID 3048 wrote to memory of 2820 3048 01a16e5a927bcfa66d0e014fee748a5c.exe 15
Processes
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\01a16e5a927bcfa66d0e014fee748a5c.exe" /TN Google_Trk_Updater /F1⤵
- Creates scheduled task(s)
PID:2820
-
C:\Users\Admin\AppData\Local\Temp\01a16e5a927bcfa66d0e014fee748a5c.exeC:\Users\Admin\AppData\Local\Temp\01a16e5a927bcfa66d0e014fee748a5c.exe1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3048
-
C:\Users\Admin\AppData\Local\Temp\01a16e5a927bcfa66d0e014fee748a5c.exe"C:\Users\Admin\AppData\Local\Temp\01a16e5a927bcfa66d0e014fee748a5c.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1616