Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 20:21
Static task
static1
Behavioral task
behavioral1
Sample
02ebea33d1795ce5b377efa7ca5b2f9b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
02ebea33d1795ce5b377efa7ca5b2f9b.exe
Resource
win10v2004-20231215-en
General
-
Target
02ebea33d1795ce5b377efa7ca5b2f9b.exe
-
Size
520KB
-
MD5
02ebea33d1795ce5b377efa7ca5b2f9b
-
SHA1
8d803dc5909ddba9318cca58d7e190aaf5b1cf56
-
SHA256
e76ea96b4de05d951714814b1398f2bcea7ce0423fbd6683727bba5177902a9c
-
SHA512
084c6c3c0e7ca79c340ceb7198ae8ae2213db53babee8c77d57b75d0a874e5a24387e2487613e75c48f8788fdaa0d8b52e4625592e3eabb926160314c09ce2ed
-
SSDEEP
12288:jbCrX64ywpfYXatwHdLf2XKEkunFP6g5a:jGj6RFqmH9+XK3uN6g5a
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1220 Welcome.exe 1724 7za.exe 2920 Sd.exe 2292 GD1.exe -
Loads dropped DLL 13 IoCs
pid Process 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 2920 Sd.exe 2920 Sd.exe 2920 Sd.exe 2920 Sd.exe 2292 GD1.exe 2292 GD1.exe 2292 GD1.exe -
resource yara_rule behavioral1/memory/2920-43-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2920-31-0x0000000000400000-0x0000000000430000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google = "C:\\Users\\Admin\\AppData\\Roaming\\GD1.exe " GD1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2292 GD1.exe 2292 GD1.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2468 wrote to memory of 1220 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 22 PID 2468 wrote to memory of 1220 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 22 PID 2468 wrote to memory of 1220 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 22 PID 2468 wrote to memory of 1220 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 22 PID 2468 wrote to memory of 1724 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 21 PID 2468 wrote to memory of 1724 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 21 PID 2468 wrote to memory of 1724 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 21 PID 2468 wrote to memory of 1724 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 21 PID 2468 wrote to memory of 2920 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 20 PID 2468 wrote to memory of 2920 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 20 PID 2468 wrote to memory of 2920 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 20 PID 2468 wrote to memory of 2920 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 20 PID 2468 wrote to memory of 2920 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 20 PID 2468 wrote to memory of 2920 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 20 PID 2468 wrote to memory of 2920 2468 02ebea33d1795ce5b377efa7ca5b2f9b.exe 20 PID 2920 wrote to memory of 2292 2920 Sd.exe 19 PID 2920 wrote to memory of 2292 2920 Sd.exe 19 PID 2920 wrote to memory of 2292 2920 Sd.exe 19 PID 2920 wrote to memory of 2292 2920 Sd.exe 19 PID 2920 wrote to memory of 2292 2920 Sd.exe 19 PID 2920 wrote to memory of 2292 2920 Sd.exe 19 PID 2920 wrote to memory of 2292 2920 Sd.exe 19
Processes
-
C:\Users\Admin\AppData\Local\Temp\02ebea33d1795ce5b377efa7ca5b2f9b.exe"C:\Users\Admin\AppData\Local\Temp\02ebea33d1795ce5b377efa7ca5b2f9b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\Sd.exe"C:\Users\Admin\AppData\Local\Temp\Sd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\7za.exe"C:\Users\Admin\AppData\Local\Temp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\a1.7z" -aoa -oC:\Users\Admin\AppData\Local\Temp -p~@S23js@@vBz99432@t9 "" ""2⤵
- Executes dropped EXE
PID:1724
-
-
C:\Users\Admin\AppData\Roaming\Welcome.exe"C:\Users\Admin\AppData\Roaming\Welcome.exe"2⤵
- Executes dropped EXE
PID:1220
-
-
C:\Users\Admin\AppData\Roaming\GD1.exe"C:\Users\Admin\AppData\Roaming\GD1.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2292