Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 06:54
Static task
static1
Behavioral task
behavioral1
Sample
0cfc61c1ed000e0120ecfc5fc5e62eea.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0cfc61c1ed000e0120ecfc5fc5e62eea.exe
Resource
win10v2004-20231215-en
General
-
Target
0cfc61c1ed000e0120ecfc5fc5e62eea.exe
-
Size
506KB
-
MD5
0cfc61c1ed000e0120ecfc5fc5e62eea
-
SHA1
e70e0e8ad71514e0edc2be6e5a28076c9cc5286e
-
SHA256
78e3e353c2bec57df7fcb893e759e853a13bc53190bdc560cbbccb371937aec8
-
SHA512
53613ea1a71ca22fc2f5f4de81b044b29db1c46901fe42f673cf84d10829dc103e451766afdf9942afa96a8f07c86f6a3e2b9ef7e7d02eacbedc25c6865e3446
-
SSDEEP
12288:sPkz9/h1wzcaVVjzR+afAzAyKE8LRR+j+vpoyC:1L1zS5zCcJEcfe4FC
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2888 0cfc61c1ed000e0120ecfc5fc5e62eea.exe -
Executes dropped EXE 1 IoCs
pid Process 2888 0cfc61c1ed000e0120ecfc5fc5e62eea.exe -
Loads dropped DLL 1 IoCs
pid Process 2520 0cfc61c1ed000e0120ecfc5fc5e62eea.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2888 0cfc61c1ed000e0120ecfc5fc5e62eea.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3052 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2888 0cfc61c1ed000e0120ecfc5fc5e62eea.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2520 0cfc61c1ed000e0120ecfc5fc5e62eea.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2520 0cfc61c1ed000e0120ecfc5fc5e62eea.exe 2888 0cfc61c1ed000e0120ecfc5fc5e62eea.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2888 2520 0cfc61c1ed000e0120ecfc5fc5e62eea.exe 28 PID 2520 wrote to memory of 2888 2520 0cfc61c1ed000e0120ecfc5fc5e62eea.exe 28 PID 2520 wrote to memory of 2888 2520 0cfc61c1ed000e0120ecfc5fc5e62eea.exe 28 PID 2520 wrote to memory of 2888 2520 0cfc61c1ed000e0120ecfc5fc5e62eea.exe 28 PID 2888 wrote to memory of 3052 2888 0cfc61c1ed000e0120ecfc5fc5e62eea.exe 29 PID 2888 wrote to memory of 3052 2888 0cfc61c1ed000e0120ecfc5fc5e62eea.exe 29 PID 2888 wrote to memory of 3052 2888 0cfc61c1ed000e0120ecfc5fc5e62eea.exe 29 PID 2888 wrote to memory of 3052 2888 0cfc61c1ed000e0120ecfc5fc5e62eea.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cfc61c1ed000e0120ecfc5fc5e62eea.exe"C:\Users\Admin\AppData\Local\Temp\0cfc61c1ed000e0120ecfc5fc5e62eea.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\0cfc61c1ed000e0120ecfc5fc5e62eea.exeC:\Users\Admin\AppData\Local\Temp\0cfc61c1ed000e0120ecfc5fc5e62eea.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\0cfc61c1ed000e0120ecfc5fc5e62eea.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:3052
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD573fb1e7d91f8e0fc09f34207c598126f
SHA11d826cf1380f7c3e1a71e3789ee330434701da8a
SHA256767f91e3d2583a51f891f08eb2494179b736543289f5d55a9286eb446867d53a
SHA512ebb036347519fe9193eadcacdfd6d1e54238e96a7da2b57d47cbd0ce980a9a2c4119e5d2405caa091214cd7b4c82daaa5b214c378d254629e57c825362c6f54e
-
Filesize
175KB
MD56b56c209782b9e5e850e330e6f79588b
SHA1db9fb0b6c601e8d1304091d5425a6d32579ce73f
SHA2560c402d49c41e05efe0f570c9c4c7046543f26522d3632c341a63f9f326a01146
SHA512f56a3aad9d77c87d2193b57144c1a7684003fc28ad7c4f76a4c9dc50045f47f80db9672b253cd58c7d7f4a5291a36ff78dce11b86932c33f9a06a5398e29b691
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
337KB
MD5dca599f099432ac626870bf22680edb9
SHA1a0f1e23a66f8d36906a74e461861c0f278c0b843
SHA2568b8be50b777df670298499d7280fb7f1d0601fdb1129e295508d7c914b1a0e8b
SHA5122dc147b3f62acc4a9800fb1cba0c6f3a608796a625929f6fb632e9de009c987d7e73ed76f8dc47074e3ba47bbe22b326f768256cca181bb1be0865b1da5fdf59