Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
3s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 11:23
Static task
static1
Behavioral task
behavioral1
Sample
170afa23564ebc922d1f60b228fe49a8.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
170afa23564ebc922d1f60b228fe49a8.exe
Resource
win10v2004-20231215-en
General
-
Target
170afa23564ebc922d1f60b228fe49a8.exe
-
Size
385KB
-
MD5
170afa23564ebc922d1f60b228fe49a8
-
SHA1
22a7ed8415e25b389495dcb0476ae13cc5850890
-
SHA256
e8f5d067733aca74cb51f8c865a6a22b984af1ecd951cd8e7a14e1b111a4fe0a
-
SHA512
2fd1d1b2aa7c20f926f5fb005edd6ad8b9af97c42f220a702390c390df1c7f9a5a30abaf39e8158560412d7be26c84366be7c851a5497d9c2186501ff23909e9
-
SSDEEP
6144:vhWI/exImme8o62ezLLXVggORLry0Sfbp7b9pIw/YrfCB:M3XvezdggkkbhjI2YrfCB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2448 170afa23564ebc922d1f60b228fe49a8.exe -
Executes dropped EXE 1 IoCs
pid Process 2448 170afa23564ebc922d1f60b228fe49a8.exe -
Loads dropped DLL 1 IoCs
pid Process 1776 170afa23564ebc922d1f60b228fe49a8.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1776 170afa23564ebc922d1f60b228fe49a8.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1776 170afa23564ebc922d1f60b228fe49a8.exe 2448 170afa23564ebc922d1f60b228fe49a8.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1776 wrote to memory of 2448 1776 170afa23564ebc922d1f60b228fe49a8.exe 14 PID 1776 wrote to memory of 2448 1776 170afa23564ebc922d1f60b228fe49a8.exe 14 PID 1776 wrote to memory of 2448 1776 170afa23564ebc922d1f60b228fe49a8.exe 14 PID 1776 wrote to memory of 2448 1776 170afa23564ebc922d1f60b228fe49a8.exe 14
Processes
-
C:\Users\Admin\AppData\Local\Temp\170afa23564ebc922d1f60b228fe49a8.exeC:\Users\Admin\AppData\Local\Temp\170afa23564ebc922d1f60b228fe49a8.exe1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2448
-
C:\Users\Admin\AppData\Local\Temp\170afa23564ebc922d1f60b228fe49a8.exe"C:\Users\Admin\AppData\Local\Temp\170afa23564ebc922d1f60b228fe49a8.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD54edd9d29aa08413031212c994b8000eb
SHA1f75df23ba7588ae273eec0af8897ba310754a34f
SHA256e71f52d12b38f4f4291b650bbb1158e088ec1f3151dd9a4bcc2bd146941f116b
SHA512c3594427daa560e366bb613cd9c8649e169a53b9a55b46b57b7ae8afe5ebf36f6c94c8ba871d097eb60dd66dbc59571a815c666cace5fa72ac2d274d36654f9a
-
Filesize
26KB
MD5013f1ae581b1d067fb520c95288aeb64
SHA1cc07ffa42075fa0ef6f18904e56e74bb111bf004
SHA2561f15169501454e640f7108939dd4eede81e4c4699836793a57709dc59a09282c
SHA512808a7d7a0f3ddc2095e64ce716d5d9a3af61999245b1cdee25e62eb3331ed18bfc25107f8ccf1728f9864a97c356e6dae1338eb870a2b8ba9c41aded7437a881