Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28/12/2023, 23:29
Static task
static1
Behavioral task
behavioral1
Sample
ffecb4999889f9dff3f3ca807aa462ac.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ffecb4999889f9dff3f3ca807aa462ac.exe
Resource
win10v2004-20231215-en
General
-
Target
ffecb4999889f9dff3f3ca807aa462ac.exe
-
Size
1000KB
-
MD5
ffecb4999889f9dff3f3ca807aa462ac
-
SHA1
1405ccffb6a9cdfab47b9e8ef7cea6025304a058
-
SHA256
3b46860e7ffdcc531af1dd81752cce9ae5f410fa1d9b6d1ac3409801c9d8d9c4
-
SHA512
0c0371aa5be01301f8b7c1a9490813ed5f5e16c6f6e489666dcd8acb98eb64968f1ec018f779a2b85f36ba504f7d79e6cf376e115be59da00dfedcb45bc725eb
-
SSDEEP
24576:sNp5IbLWzXcsQPCtKP/VN1B+5vMiqt0gj2ed:sNYPvlPlPNhqOL
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2216 ffecb4999889f9dff3f3ca807aa462ac.exe -
Executes dropped EXE 1 IoCs
pid Process 2216 ffecb4999889f9dff3f3ca807aa462ac.exe -
Loads dropped DLL 1 IoCs
pid Process 2360 ffecb4999889f9dff3f3ca807aa462ac.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2216 ffecb4999889f9dff3f3ca807aa462ac.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3048 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2216 ffecb4999889f9dff3f3ca807aa462ac.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2360 ffecb4999889f9dff3f3ca807aa462ac.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2360 ffecb4999889f9dff3f3ca807aa462ac.exe 2216 ffecb4999889f9dff3f3ca807aa462ac.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2216 2360 ffecb4999889f9dff3f3ca807aa462ac.exe 28 PID 2360 wrote to memory of 2216 2360 ffecb4999889f9dff3f3ca807aa462ac.exe 28 PID 2360 wrote to memory of 2216 2360 ffecb4999889f9dff3f3ca807aa462ac.exe 28 PID 2360 wrote to memory of 2216 2360 ffecb4999889f9dff3f3ca807aa462ac.exe 28 PID 2216 wrote to memory of 3048 2216 ffecb4999889f9dff3f3ca807aa462ac.exe 30 PID 2216 wrote to memory of 3048 2216 ffecb4999889f9dff3f3ca807aa462ac.exe 30 PID 2216 wrote to memory of 3048 2216 ffecb4999889f9dff3f3ca807aa462ac.exe 30 PID 2216 wrote to memory of 3048 2216 ffecb4999889f9dff3f3ca807aa462ac.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffecb4999889f9dff3f3ca807aa462ac.exe"C:\Users\Admin\AppData\Local\Temp\ffecb4999889f9dff3f3ca807aa462ac.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\ffecb4999889f9dff3f3ca807aa462ac.exeC:\Users\Admin\AppData\Local\Temp\ffecb4999889f9dff3f3ca807aa462ac.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\ffecb4999889f9dff3f3ca807aa462ac.exe" /TN Google_Trk_Updater /F3⤵
- Creates scheduled task(s)
PID:3048
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
574KB
MD5cc446eaaa95e4457c563e82db62215e1
SHA10639ff8759e9ca5ccd4326bea8add6a24f1cdc5d
SHA25607390166262357a8ba732e85da813a73376313092c2b46c2b55ffba0a4c53c16
SHA512c32cb619c315cba5b09aaea24df2bf3c3e504675cbcaa3f9dc17283987c77e118e346c316dc781ec6210e99fe062ae315c4e15934a00c853c41bbe53419dd405
-
Filesize
1000KB
MD571415f5cfdf200187635dd9c538191de
SHA1ccfdff1b803e5f6976a6d0271ef63833dac707ef
SHA256333f9c8bc10c686baac0f848dc372c42e3089aed0812150547b33c3955a87584
SHA5120e017bb70318fea13120db5ea1f81c4cd3880b076db75b09b13b0c49a625f3938f189d4938f8b2f1e3dda5ef9e01a385868271f48b2d6146984820b09faad646