Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
3s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 06:13
Behavioral task
behavioral1
Sample
10ca3f25dd2b399a59a604d5bdb94a0f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
10ca3f25dd2b399a59a604d5bdb94a0f.exe
Resource
win10v2004-20231215-en
General
-
Target
10ca3f25dd2b399a59a604d5bdb94a0f.exe
-
Size
5.1MB
-
MD5
10ca3f25dd2b399a59a604d5bdb94a0f
-
SHA1
14cae6fe7ac781ad35116e63bd725830027f8055
-
SHA256
9112816e37f6b9ee38670966a000845b41cbb8afeaf1fdd6d6279204660ee210
-
SHA512
b960adbb9569b68f810896c1a88a3db63684687aa8b54c8ceb0b7b56a3e869da9bd80f28cfd9daebe3c9a8fd94adddb5fd31b2f1d7a96a966ada01ab6180d6d3
-
SSDEEP
98304:w6kgvet0T+43pK6fLTEQkhkfzzEezgs3:wKvrT+sfPGkr
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2248 10ca3f25dd2b399a59a604d5bdb94a0f.exe -
Executes dropped EXE 1 IoCs
pid Process 2248 10ca3f25dd2b399a59a604d5bdb94a0f.exe -
Loads dropped DLL 1 IoCs
pid Process 2212 10ca3f25dd2b399a59a604d5bdb94a0f.exe -
resource yara_rule behavioral1/memory/2212-0-0x0000000000400000-0x0000000000D9E000-memory.dmp upx behavioral1/files/0x000b00000001225f-11.dat upx behavioral1/files/0x000b00000001225f-15.dat upx behavioral1/memory/2212-16-0x0000000004060000-0x00000000049FE000-memory.dmp upx behavioral1/memory/2248-18-0x0000000000400000-0x0000000000D9E000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 10ca3f25dd2b399a59a604d5bdb94a0f.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 10ca3f25dd2b399a59a604d5bdb94a0f.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2212 10ca3f25dd2b399a59a604d5bdb94a0f.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2212 10ca3f25dd2b399a59a604d5bdb94a0f.exe 2248 10ca3f25dd2b399a59a604d5bdb94a0f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2248 2212 10ca3f25dd2b399a59a604d5bdb94a0f.exe 28 PID 2212 wrote to memory of 2248 2212 10ca3f25dd2b399a59a604d5bdb94a0f.exe 28 PID 2212 wrote to memory of 2248 2212 10ca3f25dd2b399a59a604d5bdb94a0f.exe 28 PID 2212 wrote to memory of 2248 2212 10ca3f25dd2b399a59a604d5bdb94a0f.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\10ca3f25dd2b399a59a604d5bdb94a0f.exe"C:\Users\Admin\AppData\Local\Temp\10ca3f25dd2b399a59a604d5bdb94a0f.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\10ca3f25dd2b399a59a604d5bdb94a0f.exeC:\Users\Admin\AppData\Local\Temp\10ca3f25dd2b399a59a604d5bdb94a0f.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2248
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD5bfe3ae91c8b6d0f13d5621a4f1882e7d
SHA17c23fd1ea2ce1561217a83cd9b8c798bbe9a4769
SHA256a1cd5350ff4ed0120a69b998c198d3124e3a332ae3f9f6175506aa5d63e36a9e
SHA5123765a9f30e841ea05376616b06db8d5474e2aad4d43ed6e50bf324ce91e0e24ca98b8bfe1493344c13ba25c7c2a0042d7e2d3a55f623759a7a5844734405f7fd
-
Filesize
239KB
MD5fb2f71c08d7133ee4c6eb0a17353810a
SHA1676298965d4b57eb079b109ada430dee398bc99a
SHA2566731b2cf6772fc82c0ed3c764dd826a65d59836f430cf5581c3e125f10813051
SHA5120a4281916f3100491d95431a740b306022f74d835867a74975c51041e927e3f64709f8dc80ca97313b65708b2150346faaa34a2b0f3742036472cb1a9ea21b06