Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 03:27
Behavioral task
behavioral1
Sample
0cf3e5e0102b875a03bbc8492defc43c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0cf3e5e0102b875a03bbc8492defc43c.exe
Resource
win10v2004-20231215-en
General
-
Target
0cf3e5e0102b875a03bbc8492defc43c.exe
-
Size
13KB
-
MD5
0cf3e5e0102b875a03bbc8492defc43c
-
SHA1
a2de66169a53daed3d27c9bf9303617ea4407d33
-
SHA256
8d5148057cf0c4607b311819dbd0dce1ea8692cb88531ef74c0b40081fdce2c2
-
SHA512
01bd5f0e01646f70788fe5153d6dcf4e677f3e733b04a545ba560e2b0d269fa26ca1973af8a84775d0177ce091bc9b65b2a4022033e5acb744d57b399e0d7b5a
-
SSDEEP
192:smpfxUbuk4oef2fnj8b7zteiXzzWCpDGZ6beZj7KbvKZzfVPDkFYywzSl+E1O2Fc:5pfQu1/f2rUPt9fWr669ubv4zfGGPx
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Deletes itself 1 IoCs
pid Process 2916 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2160 craoek.exe -
Loads dropped DLL 2 IoCs
pid Process 2180 0cf3e5e0102b875a03bbc8492defc43c.exe 2180 0cf3e5e0102b875a03bbc8492defc43c.exe -
resource yara_rule behavioral1/memory/2180-0-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/files/0x000d00000001231b-3.dat upx behavioral1/memory/2160-11-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2180-12-0x0000000000400000-0x0000000000410000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\craoe.dll 0cf3e5e0102b875a03bbc8492defc43c.exe File created C:\Windows\SysWOW64\craoek.exe 0cf3e5e0102b875a03bbc8492defc43c.exe File opened for modification C:\Windows\SysWOW64\craoek.exe 0cf3e5e0102b875a03bbc8492defc43c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2160 2180 0cf3e5e0102b875a03bbc8492defc43c.exe 28 PID 2180 wrote to memory of 2160 2180 0cf3e5e0102b875a03bbc8492defc43c.exe 28 PID 2180 wrote to memory of 2160 2180 0cf3e5e0102b875a03bbc8492defc43c.exe 28 PID 2180 wrote to memory of 2160 2180 0cf3e5e0102b875a03bbc8492defc43c.exe 28 PID 2180 wrote to memory of 2916 2180 0cf3e5e0102b875a03bbc8492defc43c.exe 30 PID 2180 wrote to memory of 2916 2180 0cf3e5e0102b875a03bbc8492defc43c.exe 30 PID 2180 wrote to memory of 2916 2180 0cf3e5e0102b875a03bbc8492defc43c.exe 30 PID 2180 wrote to memory of 2916 2180 0cf3e5e0102b875a03bbc8492defc43c.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cf3e5e0102b875a03bbc8492defc43c.exe"C:\Users\Admin\AppData\Local\Temp\0cf3e5e0102b875a03bbc8492defc43c.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\craoek.exeC:\Windows\system32\craoek.exe ˜‰2⤵
- Executes dropped EXE
PID:2160
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\0cf3e5e0102b875a03bbc8492defc43c.exe.bat2⤵
- Deletes itself
PID:2916
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD518651a0edc1111f140fccf5a87451c76
SHA16b4bf68211a9f36551526c7113ff0b54721c39d5
SHA256ef63cc0b777375ba4c8b0f672e58cd8585b731101f757e83f8aeafd8f87722ed
SHA512086ac600554633f2dd2436d7595df9fbbd7ce478302033e1e77d758183d15c815cd11d60ef1c39dd6b096f67609ce202affcdee6d74cddec0df9661b5b2728ce
-
Filesize
13KB
MD50cf3e5e0102b875a03bbc8492defc43c
SHA1a2de66169a53daed3d27c9bf9303617ea4407d33
SHA2568d5148057cf0c4607b311819dbd0dce1ea8692cb88531ef74c0b40081fdce2c2
SHA51201bd5f0e01646f70788fe5153d6dcf4e677f3e733b04a545ba560e2b0d269fa26ca1973af8a84775d0177ce091bc9b65b2a4022033e5acb744d57b399e0d7b5a