Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 03:27
Static task
static1
Behavioral task
behavioral1
Sample
0cef008dd1a97bd1c1215cdadfb6be3a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0cef008dd1a97bd1c1215cdadfb6be3a.exe
Resource
win10v2004-20231215-en
General
-
Target
0cef008dd1a97bd1c1215cdadfb6be3a.exe
-
Size
47KB
-
MD5
0cef008dd1a97bd1c1215cdadfb6be3a
-
SHA1
0c5704c392d34220b9788110627cc55afcc9c33f
-
SHA256
2602572a4796a821b4e34c006db92a38b8de312e5c2f447a9a11b2061fd24101
-
SHA512
94e29ae15ff3eb07770743dfcc3f5cf55122c22bce61d6b1c747304d6893231614f40af2cee05c0d07717f60a989416986f066701badd4f568da158c7dbf0ab6
-
SSDEEP
768:3gdS9lYkqLiul1LroiVUcfS3hufoqHd7ypJtk13:3gdCeLiq1LhVUw+YfZdiJe
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1868 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 768 wtajyjir.exe -
Loads dropped DLL 2 IoCs
pid Process 2912 0cef008dd1a97bd1c1215cdadfb6be3a.exe 2912 0cef008dd1a97bd1c1215cdadfb6be3a.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2912 0cef008dd1a97bd1c1215cdadfb6be3a.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2912 wrote to memory of 768 2912 0cef008dd1a97bd1c1215cdadfb6be3a.exe 31 PID 2912 wrote to memory of 768 2912 0cef008dd1a97bd1c1215cdadfb6be3a.exe 31 PID 2912 wrote to memory of 768 2912 0cef008dd1a97bd1c1215cdadfb6be3a.exe 31 PID 2912 wrote to memory of 768 2912 0cef008dd1a97bd1c1215cdadfb6be3a.exe 31 PID 2912 wrote to memory of 1868 2912 0cef008dd1a97bd1c1215cdadfb6be3a.exe 32 PID 2912 wrote to memory of 1868 2912 0cef008dd1a97bd1c1215cdadfb6be3a.exe 32 PID 2912 wrote to memory of 1868 2912 0cef008dd1a97bd1c1215cdadfb6be3a.exe 32 PID 2912 wrote to memory of 1868 2912 0cef008dd1a97bd1c1215cdadfb6be3a.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cef008dd1a97bd1c1215cdadfb6be3a.exe"C:\Users\Admin\AppData\Local\Temp\0cef008dd1a97bd1c1215cdadfb6be3a.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\ProgramData\wrqlmnut\wtajyjir.exeC:\ProgramData\wrqlmnut\wtajyjir.exe2⤵
- Executes dropped EXE
PID:768
-
-
C:\Windows\SysWOW64\cmd.exe/c del /f C:\Users\Admin\AppData\Local\Temp\0CEF00~1.EXE.bak >> NUL2⤵
- Deletes itself
PID:1868
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD50cef008dd1a97bd1c1215cdadfb6be3a
SHA10c5704c392d34220b9788110627cc55afcc9c33f
SHA2562602572a4796a821b4e34c006db92a38b8de312e5c2f447a9a11b2061fd24101
SHA51294e29ae15ff3eb07770743dfcc3f5cf55122c22bce61d6b1c747304d6893231614f40af2cee05c0d07717f60a989416986f066701badd4f568da158c7dbf0ab6