Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 00:46
Static task
static1
Behavioral task
behavioral1
Sample
475e179c47be2b99f5a7e648fa93c37f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
475e179c47be2b99f5a7e648fa93c37f.exe
Resource
win10v2004-20231215-en
General
-
Target
475e179c47be2b99f5a7e648fa93c37f.exe
-
Size
64KB
-
MD5
475e179c47be2b99f5a7e648fa93c37f
-
SHA1
b3c174b36797a997fbde7c510aab2e75ba08c180
-
SHA256
70cfd9c937d95a62f8cd555873a02eb4c86005382c05b554b3719c2939bacad5
-
SHA512
89ddb8f6d85118a0c2db7826f59594dd72b4c2ce98290994dd42e73e69accbd7fceb1997a07864e95c11fb3c337edc8edbe2dcaa12de8842c9ed705800e636a0
-
SSDEEP
768:gIsnfK9Oqn5HZJiXyS2+MscZsGCeIwrvtQ1j9l8/nxNY66xnH:MfK/55JvxD6Gen1jYxG66xH
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2836 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1748 GetTran.exe -
Loads dropped DLL 1 IoCs
pid Process 1748 GetTran.exe -
resource yara_rule behavioral1/files/0x0007000000014719-12.dat vmprotect -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shadowsafe.sys GetTran.exe File opened for modification C:\Windows\SysWOW64\zydxc2.dat 475e179c47be2b99f5a7e648fa93c37f.exe File opened for modification C:\Windows\SysWOW64\zydxc0209.dll GetTran.exe File created C:\Windows\SysWOW64\shadowsafe.sys GetTran.exe File opened for modification C:\Windows\SysWOW64\zydxc.dat 475e179c47be2b99f5a7e648fa93c37f.exe File opened for modification C:\Windows\SysWOW64\zydxc.dat GetTran.exe File created C:\Windows\SysWOW64\zydxc.dat GetTran.exe File opened for modification C:\Windows\SysWOW64\zydxc2.dat GetTran.exe File created C:\Windows\SysWOW64\zydxc2.dat GetTran.exe File created C:\Windows\SysWOW64\zydxc0209.dll GetTran.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created \??\c:\Windows\GetTran.exe 475e179c47be2b99f5a7e648fa93c37f.exe File opened for modification \??\c:\Windows\GetTran.exe GetTran.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1748 GetTran.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 1748 GetTran.exe 480 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLoadDriverPrivilege 1748 GetTran.exe Token: SeIncBasePriorityPrivilege 1520 475e179c47be2b99f5a7e648fa93c37f.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1748 GetTran.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1520 wrote to memory of 1748 1520 475e179c47be2b99f5a7e648fa93c37f.exe 17 PID 1520 wrote to memory of 1748 1520 475e179c47be2b99f5a7e648fa93c37f.exe 17 PID 1520 wrote to memory of 1748 1520 475e179c47be2b99f5a7e648fa93c37f.exe 17 PID 1520 wrote to memory of 1748 1520 475e179c47be2b99f5a7e648fa93c37f.exe 17 PID 1748 wrote to memory of 2748 1748 GetTran.exe 14 PID 1748 wrote to memory of 2748 1748 GetTran.exe 14 PID 1748 wrote to memory of 2748 1748 GetTran.exe 14 PID 1748 wrote to memory of 2748 1748 GetTran.exe 14 PID 1520 wrote to memory of 2836 1520 475e179c47be2b99f5a7e648fa93c37f.exe 15 PID 1520 wrote to memory of 2836 1520 475e179c47be2b99f5a7e648fa93c37f.exe 15 PID 1520 wrote to memory of 2836 1520 475e179c47be2b99f5a7e648fa93c37f.exe 15 PID 1520 wrote to memory of 2836 1520 475e179c47be2b99f5a7e648fa93c37f.exe 15
Processes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del c:\Windows\GetTran.exe1⤵PID:2748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\475E17~1.EXE > nul1⤵
- Deletes itself
PID:2836
-
\??\c:\Windows\GetTran.exec:\Windows\GetTran.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748
-
C:\Users\Admin\AppData\Local\Temp\475e179c47be2b99f5a7e648fa93c37f.exe"C:\Users\Admin\AppData\Local\Temp\475e179c47be2b99f5a7e648fa93c37f.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD55381167509544853bd2c6302d532b292
SHA15e4335e60f04f37e0a74bee0447822d95e6bbf57
SHA25606fb19cf6bf528e15f4b59fc9be36215037a12205ce8fa128873d5555f6fb017
SHA512132576e3231e589902736cf31d0699af9b2900031822c649431779e32bb2da78eba508db5936a77439df7216eb4c981d19d8ad327c2105c90283b6550839d4c5
-
Filesize
64KB
MD508206fad28489399c65aa23e5af5f57b
SHA16c40a56090700622b71fc6696c093e007aeb581f
SHA25663fe619153f8739fedd240aad11d5612a84164c2b8d589a2b664844a8760cc16
SHA512e196e0c0bbf6c02e8d527069efe3eb39b1b2e02c3a9014a760de93d1897fec9f4a590b89f16db791d3e9412e8da0ecf52a3fefa296d0545d45f5afff2a7ce34a