Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
24s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 07:41
Behavioral task
behavioral1
Sample
1269132bab2e13125eb368531b010039.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1269132bab2e13125eb368531b010039.exe
Resource
win10v2004-20231215-en
General
-
Target
1269132bab2e13125eb368531b010039.exe
-
Size
219KB
-
MD5
1269132bab2e13125eb368531b010039
-
SHA1
0bf11c5c4b491589d5a80222ff1c2ba054013cd2
-
SHA256
bdcee4aff241d86bb674ea37bccf2ee9107b9c77bf75a241caad161af9cb8789
-
SHA512
82ed70558b97dd36f45288d571f096aa456cca5415268c3a5c5385d808c684ccc38bc4f499811a4617621322c045f71224454e30cb0eeece0c3b3a57d3adf01f
-
SSDEEP
3072:HusMdsG4h2QnZsPm+FFDmVLNW4R6UwUa0I0S7lIPvCdbCNHkCiPxiU16jwKc:HTMdnEl+hFMBWne1SSP6nCi1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1252 Gjilua.exe -
resource yara_rule behavioral2/memory/2668-0-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/2668-2-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/files/0x0006000000023222-12.dat upx behavioral2/files/0x0006000000023222-13.dat upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job 1269132bab2e13125eb368531b010039.exe File opened for modification C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job 1269132bab2e13125eb368531b010039.exe File created C:\Windows\Gjilua.exe 1269132bab2e13125eb368531b010039.exe File opened for modification C:\Windows\Gjilua.exe 1269132bab2e13125eb368531b010039.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1608 1252 WerFault.exe 97 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2668 1269132bab2e13125eb368531b010039.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2668 wrote to memory of 1252 2668 1269132bab2e13125eb368531b010039.exe 97 PID 2668 wrote to memory of 1252 2668 1269132bab2e13125eb368531b010039.exe 97 PID 2668 wrote to memory of 1252 2668 1269132bab2e13125eb368531b010039.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\1269132bab2e13125eb368531b010039.exe"C:\Users\Admin\AppData\Local\Temp\1269132bab2e13125eb368531b010039.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\Gjilua.exeC:\Windows\Gjilua.exe2⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 9283⤵
- Program crash
PID:1608
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1252 -ip 12521⤵PID:3912
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5b66f9c0edb47bb50c1c15aa3e8bd1201
SHA1809415acd3d1bdce6adfd65eba75160a8176c6c6
SHA256df04f10730e4aa9d0414be0a0ed4806c0adaf1248da9a14fe5079bdd109a225c
SHA51295991a3cbe7e521eae51578ca96da5e3b072272a8ff24e53864cb74360297beec1fd7c5795bd487dc6efd3c42cdb6427ed1071b11507f30bb85563aaccf1ca4d
-
Filesize
32KB
MD5ee3450d29237e630d9187edb9da872e5
SHA156a0ebc9f93ea09e2090933141e30c81d15518f2
SHA256c457d94b36ebbd3d28776a309c35124705c5b25350eface6be5022a7a6bbbf31
SHA512361aebbf985fd69bc44c9f03a1bfb900bca2966928a2d31695aeea07f35d1ef09b9a632b6aae67eabf6679a74793c0ac2f57a16a400179f4ec7f2d81e03ddf2a
-
Filesize
362B
MD5e9ff8bd043f14a297f1a340d56863fca
SHA1670f27c136b4d0118b41dccfb24acd26cb84724a
SHA25693068df7a78ecd5165dc3fb55b3644bf5fafb66ce1cf37190f76aebebd5f8fa7
SHA512beb0bc19e5629f954592ef8fd32a41e4f10384f5ecb53ed2b1bae9607bb0d494df6399d37b2c58244f7342a3a89d87e22affa157f6072d9d38bccac9557c0401