Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 13:09
Behavioral task
behavioral1
Sample
1982c964128c8180d02c2133a6e12dc0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1982c964128c8180d02c2133a6e12dc0.exe
Resource
win10v2004-20231215-en
General
-
Target
1982c964128c8180d02c2133a6e12dc0.exe
-
Size
2.7MB
-
MD5
1982c964128c8180d02c2133a6e12dc0
-
SHA1
8ac98173a21f9d75abbda931edfe15ba4eb55219
-
SHA256
9d611f051778970b345bc0fa399d7a30ad7d94a021007a8f3877ea672fbb29b9
-
SHA512
1c99843f502fb14870a00a94eb1e9063dbc7461034385e95ea8420448589b83bc1dc2af8095a4b84dc06a83b8af8503337573581aa96fe7e2c23bad8f6e76ed7
-
SSDEEP
49152:QT0hn4fwvgA2C78R8834pm0rdD+yWR92i0QacYAxcU63DMcbGBAJUGuaR9j:QT0hlvP248RH3g9SH2hOYgcn3eBAJ7Hj
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1888 1982c964128c8180d02c2133a6e12dc0.exe -
Executes dropped EXE 1 IoCs
pid Process 1888 1982c964128c8180d02c2133a6e12dc0.exe -
Loads dropped DLL 1 IoCs
pid Process 2820 1982c964128c8180d02c2133a6e12dc0.exe -
resource yara_rule behavioral1/memory/2820-0-0x0000000000400000-0x00000000008E7000-memory.dmp upx behavioral1/files/0x0004000000004ed7-11.dat upx behavioral1/memory/2820-15-0x0000000003770000-0x0000000003C57000-memory.dmp upx behavioral1/memory/1888-17-0x0000000000400000-0x00000000008E7000-memory.dmp upx behavioral1/files/0x0004000000004ed7-14.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2820 1982c964128c8180d02c2133a6e12dc0.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2820 1982c964128c8180d02c2133a6e12dc0.exe 1888 1982c964128c8180d02c2133a6e12dc0.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2820 wrote to memory of 1888 2820 1982c964128c8180d02c2133a6e12dc0.exe 27 PID 2820 wrote to memory of 1888 2820 1982c964128c8180d02c2133a6e12dc0.exe 27 PID 2820 wrote to memory of 1888 2820 1982c964128c8180d02c2133a6e12dc0.exe 27 PID 2820 wrote to memory of 1888 2820 1982c964128c8180d02c2133a6e12dc0.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\1982c964128c8180d02c2133a6e12dc0.exe"C:\Users\Admin\AppData\Local\Temp\1982c964128c8180d02c2133a6e12dc0.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\1982c964128c8180d02c2133a6e12dc0.exeC:\Users\Admin\AppData\Local\Temp\1982c964128c8180d02c2133a6e12dc0.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1888
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD55f195999d3a350d90982dfe7165f2739
SHA11460be4c00247bcc4eadfbd82933a2e3f9052bde
SHA2566a36b82b6108b50e2e1ba56be6a3ed701d10d97e49c593dd5608c01e1f0b1e40
SHA512108794fe1ba3c63d6b7daa0de45d6639d390e8769c1a7b3f86664ac19432aad72332ed12059b030ef61f008ec494d1c02b6bb62d8a77120808361bdec7e919eb
-
Filesize
2.4MB
MD5c414ec0248679e8c5603a103d0a496c7
SHA105e5c8a4630c54f95f6d97680e1c840108041ca3
SHA256af1b571257f3a6c696d0dc1aea98b7917b90419ef46b47c1ecab54bd71019ba7
SHA512c7d08f0604ca3b80ca155c05ccfe5bccda81100c24a2d0eb828b6ca9ae1f695a60a1493b981caa42addcf3af23e688389039a9d205bf506f3c8fa57f0224b31a