Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 15:05
Behavioral task
behavioral1
Sample
77bc02e8c565cee1288a6f918711136c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
77bc02e8c565cee1288a6f918711136c.exe
Resource
win10v2004-20231215-en
General
-
Target
77bc02e8c565cee1288a6f918711136c.exe
-
Size
28KB
-
MD5
77bc02e8c565cee1288a6f918711136c
-
SHA1
50283f269435ed351cd9a04e605ed607617dc744
-
SHA256
cf239f78ac1b7e72e301dd8f0482866e8ff664bc4c9ad7f78648b466dbeef9ff
-
SHA512
4b3cb9347d909c2cee960d4726a4800f556f9ae22c610a15fb86febe69281b7c835376e551965fc6d55fbed6a0c9ce0ba5761d62077e4bf78f19106919da344c
-
SSDEEP
768:5CUb3foaqTPawJG1VdPdEPcurxbjAmKmrV:QUL9qba+GvdPdEUWxbkmZV
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2764 cmd.exe -
resource yara_rule behavioral1/memory/2028-0-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral1/memory/2720-5-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral1/memory/2720-4-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral1/memory/2028-13-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral1/memory/2720-15-0x0000000000400000-0x0000000000415000-memory.dmp upx -
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 4.2.2.1 Destination IP 4.2.2.2 Destination IP 193.182.2.101 Destination IP 83.220.128.65 Destination IP 204.97.212.10 -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\svchost.exe:exe.exe 77bc02e8c565cee1288a6f918711136c.exe File created C:\Windows\SysWOW64\icf.exe 77bc02e8c565cee1288a6f918711136c.exe File opened for modification C:\Windows\SysWOW64\icf.exe 77bc02e8c565cee1288a6f918711136c.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2028 set thread context of 2720 2028 77bc02e8c565cee1288a6f918711136c.exe 28 -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2028 wrote to memory of 2720 2028 77bc02e8c565cee1288a6f918711136c.exe 28 PID 2028 wrote to memory of 2720 2028 77bc02e8c565cee1288a6f918711136c.exe 28 PID 2028 wrote to memory of 2720 2028 77bc02e8c565cee1288a6f918711136c.exe 28 PID 2028 wrote to memory of 2720 2028 77bc02e8c565cee1288a6f918711136c.exe 28 PID 2028 wrote to memory of 2720 2028 77bc02e8c565cee1288a6f918711136c.exe 28 PID 2028 wrote to memory of 2764 2028 77bc02e8c565cee1288a6f918711136c.exe 29 PID 2028 wrote to memory of 2764 2028 77bc02e8c565cee1288a6f918711136c.exe 29 PID 2028 wrote to memory of 2764 2028 77bc02e8c565cee1288a6f918711136c.exe 29 PID 2028 wrote to memory of 2764 2028 77bc02e8c565cee1288a6f918711136c.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\77bc02e8c565cee1288a6f918711136c.exe"C:\Users\Admin\AppData\Local\Temp\77bc02e8c565cee1288a6f918711136c.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2720
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\2228227.bat2⤵
- Deletes itself
PID:2764
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235B
MD56d41571469772284adb1c46c5e71cb80
SHA17d38be1e37df1836abcb4b24df2cc1a40c751959
SHA256309161b6b935c6dc5071e3e4ef9ede4a9d09dcf3676ddc83144023fd63e1305b
SHA5129c80782655d7066d011c644b46cb99df957c7fcc62b88c08770ab63ab51d38f7eb9690596fb56c38ebdef13e3b663058f36387a52e86959032fc0d4408f4bd70