Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 21:54
Behavioral task
behavioral1
Sample
04ecfc627270e30979bbda808252cbe6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
04ecfc627270e30979bbda808252cbe6.exe
Resource
win10v2004-20231215-en
General
-
Target
04ecfc627270e30979bbda808252cbe6.exe
-
Size
2.9MB
-
MD5
04ecfc627270e30979bbda808252cbe6
-
SHA1
d27fe3576cdb9766773039d5fadb3b8a2e8d402c
-
SHA256
50385d9912fca398c568147f5103b1436f433216f6f896395bbd664e1fc293e6
-
SHA512
d64127cffe41c251c8a6c7456d0abd4c4986175566f54f3f3ed9498df69e6f3aa7c6842ea02543305edd96f5281920af83175d26dc602ecdf5318dcbb9facd9b
-
SSDEEP
49152:Ivb3VJZZgvs5dBvs0mgP4M338dB2IBlGuuDVUsdxxjeQZwxPYRKs:Ivb3VJUs5dBTmggg3gnl/IVUs1jePs
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2728 04ecfc627270e30979bbda808252cbe6.exe -
Executes dropped EXE 1 IoCs
pid Process 2728 04ecfc627270e30979bbda808252cbe6.exe -
Loads dropped DLL 1 IoCs
pid Process 1740 04ecfc627270e30979bbda808252cbe6.exe -
resource yara_rule behavioral1/memory/1740-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000d0000000122d2-14.dat upx behavioral1/memory/2728-17-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000d0000000122d2-10.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1740 04ecfc627270e30979bbda808252cbe6.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1740 04ecfc627270e30979bbda808252cbe6.exe 2728 04ecfc627270e30979bbda808252cbe6.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2728 1740 04ecfc627270e30979bbda808252cbe6.exe 28 PID 1740 wrote to memory of 2728 1740 04ecfc627270e30979bbda808252cbe6.exe 28 PID 1740 wrote to memory of 2728 1740 04ecfc627270e30979bbda808252cbe6.exe 28 PID 1740 wrote to memory of 2728 1740 04ecfc627270e30979bbda808252cbe6.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\04ecfc627270e30979bbda808252cbe6.exe"C:\Users\Admin\AppData\Local\Temp\04ecfc627270e30979bbda808252cbe6.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\04ecfc627270e30979bbda808252cbe6.exeC:\Users\Admin\AppData\Local\Temp\04ecfc627270e30979bbda808252cbe6.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2728
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD505f77d302394b54e3d4bd4dd0c0faefd
SHA151632e054173d1b101525e8205b40f5f2921b240
SHA2565b2b33596a334390af90be6a128efe1d694f5af419a776fbf74f0f512fc2c3b6
SHA512633575688a4b3080175b9b835c206c17afa165a2126172a95db476a0867fe53f5352ca8a895bf36e36161967ce42ad0f5b32df58e43065d0c2e72fb2d788f54c
-
Filesize
87KB
MD5b3be376c5eca8763ccce9ac02660f3de
SHA1b35573dc3d1d1e46e3cd1a527bd1f5a74f617a6c
SHA2567ef690e4950808806625275a11065903f76ae8f0a1d8163313fe40d40cf698e2
SHA5126d1992a557fe8a6199287880d8db74a52a0ec1dd8cb8f72b19bd3a84ce9117a1107ef27e9200a1364c46267425b656a736f8627a9648710aa60db626984dd48c