Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
32s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 10:20
Behavioral task
behavioral1
Sample
15b7421962e1bb199d0fa96d0cccef45.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
15b7421962e1bb199d0fa96d0cccef45.exe
Resource
win10v2004-20231215-en
General
-
Target
15b7421962e1bb199d0fa96d0cccef45.exe
-
Size
3.9MB
-
MD5
15b7421962e1bb199d0fa96d0cccef45
-
SHA1
9a618cf3a855ac1746ade2e4327acfb3521ed3e9
-
SHA256
830f2783f525b0c13539cd806c9b28db2582173bcadb5dd588221122247e610a
-
SHA512
06685191b5bb1989cd4d9a511075da866b43696a9fb891e7525cfa597165d3db7b7ef1e38b04ee349b3b7d1166cd23976953b11d8d77f721a3b670a829ae8e9d
-
SSDEEP
98304:WSh/5K6VA9zyULG+0dKz4DpvA9zyULG+zktKaxWA9zyULG+0dKz4DpvA9zyULG+:dp5KxzLq7ae4zLqCkwax3zLq7ae4zLq
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1152 15b7421962e1bb199d0fa96d0cccef45.exe -
Executes dropped EXE 1 IoCs
pid Process 1152 15b7421962e1bb199d0fa96d0cccef45.exe -
Loads dropped DLL 1 IoCs
pid Process 1424 15b7421962e1bb199d0fa96d0cccef45.exe -
resource yara_rule behavioral1/memory/1424-0-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral1/files/0x000a00000001225b-11.dat upx behavioral1/files/0x000a00000001225b-17.dat upx behavioral1/memory/1152-18-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral1/memory/1424-16-0x00000000236E0000-0x000000002393C000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2732 schtasks.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1424 15b7421962e1bb199d0fa96d0cccef45.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1424 15b7421962e1bb199d0fa96d0cccef45.exe 1152 15b7421962e1bb199d0fa96d0cccef45.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1424 wrote to memory of 1152 1424 15b7421962e1bb199d0fa96d0cccef45.exe 22 PID 1424 wrote to memory of 1152 1424 15b7421962e1bb199d0fa96d0cccef45.exe 22 PID 1424 wrote to memory of 1152 1424 15b7421962e1bb199d0fa96d0cccef45.exe 22 PID 1424 wrote to memory of 1152 1424 15b7421962e1bb199d0fa96d0cccef45.exe 22 PID 1152 wrote to memory of 2732 1152 15b7421962e1bb199d0fa96d0cccef45.exe 25 PID 1152 wrote to memory of 2732 1152 15b7421962e1bb199d0fa96d0cccef45.exe 25 PID 1152 wrote to memory of 2732 1152 15b7421962e1bb199d0fa96d0cccef45.exe 25 PID 1152 wrote to memory of 2732 1152 15b7421962e1bb199d0fa96d0cccef45.exe 25 PID 1152 wrote to memory of 2700 1152 15b7421962e1bb199d0fa96d0cccef45.exe 33 PID 1152 wrote to memory of 2700 1152 15b7421962e1bb199d0fa96d0cccef45.exe 33 PID 1152 wrote to memory of 2700 1152 15b7421962e1bb199d0fa96d0cccef45.exe 33 PID 1152 wrote to memory of 2700 1152 15b7421962e1bb199d0fa96d0cccef45.exe 33 PID 2700 wrote to memory of 2588 2700 cmd.exe 34 PID 2700 wrote to memory of 2588 2700 cmd.exe 34 PID 2700 wrote to memory of 2588 2700 cmd.exe 34 PID 2700 wrote to memory of 2588 2700 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\15b7421962e1bb199d0fa96d0cccef45.exe"C:\Users\Admin\AppData\Local\Temp\15b7421962e1bb199d0fa96d0cccef45.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\15b7421962e1bb199d0fa96d0cccef45.exeC:\Users\Admin\AppData\Local\Temp\15b7421962e1bb199d0fa96d0cccef45.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\15b7421962e1bb199d0fa96d0cccef45.exe" /TN MXmKXYLpa01b /F3⤵
- Creates scheduled task(s)
PID:2732
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks.exe /Query /XML /TN MXmKXYLpa01b > C:\Users\Admin\AppData\Local\Temp\pgjzMA.xml3⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Query /XML /TN MXmKXYLpa01b4⤵PID:2588
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD50636906a95265ae44d5a534f95dc53f0
SHA1bcec4563523924af389e7975312134611d900a7b
SHA2566cdbd512d31a7c637bf5ba28ad9a67884128f462b13b4274bbef6cb266e1aa32
SHA5129c19c77b0654b94eaa9a5ab63ffbb1d19b4c967d4cb984514b989322528875176d71643291626a4fdedabb18a905801172ccc2ed62187d2ae58ee66b3d55e3f5
-
Filesize
1KB
MD51289e2489febacab8ecba0a6d25428aa
SHA1da3fdc9eb3b6ec01ccb66217e351420bf3681826
SHA25614ca38f6d8c498f3aa932143ad1d84d7d64b7c44ca1f42f947f037f6331e0f92
SHA5124992bea3da3838b4237f04f7e5971d0339ce72e7012afcb41acfd17d77244f4d86248d3c5caf69643495a68fcd7bddc09d623230b81425d36c0582f1f78e4f2c
-
Filesize
92KB
MD50f82a447f70025a1bf934a7463133e57
SHA1310d2ba4ea166f456b8b4119d0071f41bbed0bfd
SHA2567755ecf90fa5e297fbc98aa78b1c21c2464a6171b1b196568f43054615337455
SHA5129fdf4005989ad5956be3a564709f1c5567797f10e27639b8313b81f5b187a7f518f205c3ceada3e2ec39a014fdb750cb3a96ad81947feb6049d97de87dd5c448