Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 00:50
Behavioral task
behavioral1
Sample
4790440ba0e67149cff353930fb72ac7.exe
Resource
win7-20231215-en
General
-
Target
4790440ba0e67149cff353930fb72ac7.exe
-
Size
535KB
-
MD5
4790440ba0e67149cff353930fb72ac7
-
SHA1
8124005da70ff24dbc969f0b85b81ee741727676
-
SHA256
b7f9d23a79a3584615b96aad5335707ca944ac2306c1c9d5558abd91bcb9d1ec
-
SHA512
1a4672d90139b23328714192e5522fde6d4f5cc89d8671200112f7266889ca625637412de77007d0ba5779f0e08d6a4f2e97e294ef88d9b1b448f164bdfb2af1
-
SSDEEP
12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP6:q0P/k4lb2wKat6
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
pid Process 2728 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2716 uznoe.exe 2244 tohip.exe -
Loads dropped DLL 2 IoCs
pid Process 2140 4790440ba0e67149cff353930fb72ac7.exe 2716 uznoe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe 2244 tohip.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2716 2140 4790440ba0e67149cff353930fb72ac7.exe 28 PID 2140 wrote to memory of 2716 2140 4790440ba0e67149cff353930fb72ac7.exe 28 PID 2140 wrote to memory of 2716 2140 4790440ba0e67149cff353930fb72ac7.exe 28 PID 2140 wrote to memory of 2716 2140 4790440ba0e67149cff353930fb72ac7.exe 28 PID 2140 wrote to memory of 2728 2140 4790440ba0e67149cff353930fb72ac7.exe 29 PID 2140 wrote to memory of 2728 2140 4790440ba0e67149cff353930fb72ac7.exe 29 PID 2140 wrote to memory of 2728 2140 4790440ba0e67149cff353930fb72ac7.exe 29 PID 2140 wrote to memory of 2728 2140 4790440ba0e67149cff353930fb72ac7.exe 29 PID 2716 wrote to memory of 2244 2716 uznoe.exe 33 PID 2716 wrote to memory of 2244 2716 uznoe.exe 33 PID 2716 wrote to memory of 2244 2716 uznoe.exe 33 PID 2716 wrote to memory of 2244 2716 uznoe.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\4790440ba0e67149cff353930fb72ac7.exe"C:\Users\Admin\AppData\Local\Temp\4790440ba0e67149cff353930fb72ac7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\uznoe.exe"C:\Users\Admin\AppData\Local\Temp\uznoe.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\tohip.exe"C:\Users\Admin\AppData\Local\Temp\tohip.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2244
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276B
MD52de8bd8ef928282f9b1cfbf93a083273
SHA1cc4b509f7325757f98d1ac05ba184f73af1b3703
SHA2566cb160ca622a405c4ffe48c0dd543e6d09e876b4698f826c144303d7baee76ad
SHA512af56ec60fb64dec494c870be4c9e0ffa522fea4c67f95b182a98dc70e323b313515c6fbf03d0b515b9e9bc2e6b058673086371f8d5d6a6fee946f3263f34c2f4
-
Filesize
512B
MD5391a3db4ab8080716921904336a434f5
SHA140b06e5b6bb2ad02d9b665b7d494ad7396d1b82a
SHA2563a1ecea21b13177107e68783e4f3854c56314792af8acfa3eb023532011ba284
SHA5128a3245020c6efcd76703cc276d2cb5602bc927d61bdb4af4d46383136560de22ed59874cc0326afea43ff29a01ede882133e4772c1de6d1328c3bcfc7213dc61
-
Filesize
535KB
MD5c731a50087d776d4f8a4bf8dbfbb676e
SHA1239400cf547996805bd2e488fcf7a02a2994891d
SHA25685b73edb06c64aee56fc0756e1f3fb5c2027c04deff5e614dcc0385edf68260f
SHA512ff2a0a13d33f638af533f27dcca347baa6e9169ed694633133b9864d91c6c04b52c5713ff00403a31ca3392bf3c5b3abe0e72aab1924c93f7f16436d41c47069
-
Filesize
236KB
MD57c36d7a9b3377ed54539cb0d40286549
SHA1be7cc8e58ce747a35c66f64df10de59e7a9c5821
SHA2562f0630229fc11ce6926540c836005d44e288e4f95c98c11d667412f18253c14a
SHA51277031e9a02bc9140c3406c81d75d8d3a8fb0baefe16b74fcee9d52e2243748c3f3030e1101c974603d67a252eecb46935ae13e4a7b241805f4c771243bbe8d3d
-
Filesize
535KB
MD5733be7d522b2729198079932c6b7b708
SHA10be20c28cc9d6c25a739cd5652c977e5d71d24ec
SHA256c4225715de152192d4b1e6020bad8a7431a2617839d13d48d637a07d5e167942
SHA5121de04b5ea9ccd9c3dd5e628ce821fd70539e94305e8891f9ccc3c9aed83dfe63234d585662e071c3d3c62d861d961d9f6f4934de35fce3b399903aecac8d4764