Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 10:32
Static task
static1
Behavioral task
behavioral1
Sample
678923982bc7d83f53fdf068b43b77e4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
678923982bc7d83f53fdf068b43b77e4.exe
Resource
win10v2004-20231215-en
General
-
Target
678923982bc7d83f53fdf068b43b77e4.exe
-
Size
241KB
-
MD5
678923982bc7d83f53fdf068b43b77e4
-
SHA1
ed9e274db40ec0b883e9e81f83c29a51d2efd5bb
-
SHA256
b0359d70616a189371e54a169398521c0114c73e797ef0ae849becae1014cbb7
-
SHA512
b0ec90342c3aab0ec1071ad99442c02fc5442ed3a7d2b2637fe8b439a325d18e42d778205f795f1ff926203e333efd1bcb4cabeefe18109fe8e62a5c48980cda
-
SSDEEP
6144:tmU5DJi8BnA/dizLz5O7YLm4nrhk9CrwuMXjXYDEU:tm8NV+/gQ+xFk9Cr6TYr
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1820 678923982bc7d83f53fdf068b43b77e4.exe -
Executes dropped EXE 1 IoCs
pid Process 1820 678923982bc7d83f53fdf068b43b77e4.exe -
Loads dropped DLL 1 IoCs
pid Process 3056 678923982bc7d83f53fdf068b43b77e4.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1820 678923982bc7d83f53fdf068b43b77e4.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2696 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1820 678923982bc7d83f53fdf068b43b77e4.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3056 678923982bc7d83f53fdf068b43b77e4.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3056 678923982bc7d83f53fdf068b43b77e4.exe 1820 678923982bc7d83f53fdf068b43b77e4.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3056 wrote to memory of 1820 3056 678923982bc7d83f53fdf068b43b77e4.exe 17 PID 3056 wrote to memory of 1820 3056 678923982bc7d83f53fdf068b43b77e4.exe 17 PID 3056 wrote to memory of 1820 3056 678923982bc7d83f53fdf068b43b77e4.exe 17 PID 3056 wrote to memory of 1820 3056 678923982bc7d83f53fdf068b43b77e4.exe 17 PID 1820 wrote to memory of 2696 1820 678923982bc7d83f53fdf068b43b77e4.exe 29 PID 1820 wrote to memory of 2696 1820 678923982bc7d83f53fdf068b43b77e4.exe 29 PID 1820 wrote to memory of 2696 1820 678923982bc7d83f53fdf068b43b77e4.exe 29 PID 1820 wrote to memory of 2696 1820 678923982bc7d83f53fdf068b43b77e4.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\678923982bc7d83f53fdf068b43b77e4.exe"C:\Users\Admin\AppData\Local\Temp\678923982bc7d83f53fdf068b43b77e4.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\678923982bc7d83f53fdf068b43b77e4.exeC:\Users\Admin\AppData\Local\Temp\678923982bc7d83f53fdf068b43b77e4.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\678923982bc7d83f53fdf068b43b77e4.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:2696
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD5aea717bf26cb3dc72b24ee1888d81e40
SHA1701ab5b13a7547c7871cde4be47beecf2a3a4668
SHA256e09d38cac9ba051e7b5d1fb47c82b63a57d21396889bbab738c7c9d59daf4459
SHA512cf33316709cfa21e0a756f3bedd597bd26e8b221f1d4798ab9cfa8fb5d0db97279c92d88e8096378a9a313a5cebd6a8e4077eed6d093a16c1ad0e2fb1c4a9cc2
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
42KB
MD50852e9c7899d4ffcccfec24014eb82ea
SHA1c0f7c4d0264c71c40cd0202bffc29c71e5ae8088
SHA256a6a0c5aaf49731342a8fcc643e3d94f5a015753a79de0d8f2a0c467756c8eff1
SHA5123f576e2a4a7788b4cacc30ac67148aaf5ad3c82be77083089ce25ae8dbba74b7584f7a3df5cb68c85e3d95f5285223b08c98e661085d347750277062e92c5d95
-
Filesize
54KB
MD53614d3269207fef826ca4156ae1b6f30
SHA18a95066f5c179497ea0807e96568a64b12e706bf
SHA2561402b9b9d29095775b8ec703323dd160f010d755cc0623c90c162db2286607e2
SHA512292e56e82aee4178f1d616c725df8eadc3630c563382b02cd91cda4a96f8650fb79504d6932297b654b3b1377a40231ddc85a587591419e2bf7b53395cdc63c8