Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 02:24
Behavioral task
behavioral1
Sample
4c7dc06d56c085a36cf50431de28813a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4c7dc06d56c085a36cf50431de28813a.exe
Resource
win10v2004-20231215-en
General
-
Target
4c7dc06d56c085a36cf50431de28813a.exe
-
Size
68KB
-
MD5
4c7dc06d56c085a36cf50431de28813a
-
SHA1
72f1e251653f43c9e5f6846d4523f6fdbb47e5e1
-
SHA256
3ec1eb05f285a64217bc1f83ecafbdf4d2ef62fe7e37f083f1b192bc440ee098
-
SHA512
31605344e0c783509e4c3f39d9a6a496cf3a6531353965288c1ab82df93b658567442220074d23598c8d906ea49fa5da2eaf6a81e6c0047696c21af8ff5c4554
-
SSDEEP
1536:7TL6MWAfIaSVD4JXQJfXUXQFbKjTTgLvbe2r3ikerxFaiV0CmuJdr:zg+SVfsAFbKjTTgLvbrjpmgyBbdr
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2276 4c7dc06d56c085a36cf50431de28813a.exe -
Executes dropped EXE 1 IoCs
pid Process 2276 4c7dc06d56c085a36cf50431de28813a.exe -
Loads dropped DLL 1 IoCs
pid Process 2512 4c7dc06d56c085a36cf50431de28813a.exe -
resource yara_rule behavioral1/memory/2512-0-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/files/0x0008000000012224-10.dat upx behavioral1/memory/2512-12-0x0000000000170000-0x00000000001AA000-memory.dmp upx behavioral1/memory/2276-17-0x0000000000400000-0x000000000043A000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2512 4c7dc06d56c085a36cf50431de28813a.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2512 4c7dc06d56c085a36cf50431de28813a.exe 2276 4c7dc06d56c085a36cf50431de28813a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2276 2512 4c7dc06d56c085a36cf50431de28813a.exe 29 PID 2512 wrote to memory of 2276 2512 4c7dc06d56c085a36cf50431de28813a.exe 29 PID 2512 wrote to memory of 2276 2512 4c7dc06d56c085a36cf50431de28813a.exe 29 PID 2512 wrote to memory of 2276 2512 4c7dc06d56c085a36cf50431de28813a.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c7dc06d56c085a36cf50431de28813a.exe"C:\Users\Admin\AppData\Local\Temp\4c7dc06d56c085a36cf50431de28813a.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\4c7dc06d56c085a36cf50431de28813a.exeC:\Users\Admin\AppData\Local\Temp\4c7dc06d56c085a36cf50431de28813a.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2276
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD5a196ea6d563857c037f72dd8eab618b7
SHA16ce6d248a7f1b38a749e20b973931164c3394abb
SHA25675676e001c1bafabaf48c437b50f7f376e1af4c6e9f3ea0918d046e341cc654d
SHA512adefd9139472078b36e3f869477ee6be5ac9c789b68a0d1019ae53d2887f291c884e070f2436c217783e24726bbc8ce31f4b61adf7b0f9c55a2c904a33c89b33