Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 00:01
Behavioral task
behavioral1
Sample
20ebb900d939109c2c237f8be5b28e06.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
20ebb900d939109c2c237f8be5b28e06.exe
Resource
win10v2004-20231215-en
General
-
Target
20ebb900d939109c2c237f8be5b28e06.exe
-
Size
5.3MB
-
MD5
20ebb900d939109c2c237f8be5b28e06
-
SHA1
3d7eb534e871bb2bfaee6dc1ca4bd5b789ec8bb6
-
SHA256
b78a195933dec6429ed40db4653efef8f71bb2e38ad25c859f648a52baf664d6
-
SHA512
e049bb4e646852cb9708b978e8ddc766d8175922954111a3d2a6da7caf7c0060b741ee78675be93fdae6f4194de2118250e763cb52d4e9248bcf59e3bb8b9dc0
-
SSDEEP
98304:0UWgM4muNBLOoHktBcwQDM2YIDULHHQNddxWMEQlgjHktBcwQDM2YIDULHt:tWg0M1zschDHIUzlgjschDHIN
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3068 20ebb900d939109c2c237f8be5b28e06.exe -
Executes dropped EXE 1 IoCs
pid Process 3068 20ebb900d939109c2c237f8be5b28e06.exe -
Loads dropped DLL 1 IoCs
pid Process 1152 20ebb900d939109c2c237f8be5b28e06.exe -
resource yara_rule behavioral1/memory/1152-1-0x0000000000400000-0x00000000008E7000-memory.dmp upx behavioral1/memory/1152-16-0x0000000003D50000-0x0000000004237000-memory.dmp upx behavioral1/files/0x000c000000012242-14.dat upx behavioral1/files/0x000c000000012242-10.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1152 20ebb900d939109c2c237f8be5b28e06.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1152 20ebb900d939109c2c237f8be5b28e06.exe 3068 20ebb900d939109c2c237f8be5b28e06.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1152 wrote to memory of 3068 1152 20ebb900d939109c2c237f8be5b28e06.exe 28 PID 1152 wrote to memory of 3068 1152 20ebb900d939109c2c237f8be5b28e06.exe 28 PID 1152 wrote to memory of 3068 1152 20ebb900d939109c2c237f8be5b28e06.exe 28 PID 1152 wrote to memory of 3068 1152 20ebb900d939109c2c237f8be5b28e06.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\20ebb900d939109c2c237f8be5b28e06.exe"C:\Users\Admin\AppData\Local\Temp\20ebb900d939109c2c237f8be5b28e06.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\20ebb900d939109c2c237f8be5b28e06.exeC:\Users\Admin\AppData\Local\Temp\20ebb900d939109c2c237f8be5b28e06.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3068
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD5319c1fb4efa8ca5866171aaf48a8e214
SHA1393a3de445ced4f1550ea30e11d5de39081cedf2
SHA256a3f21a2b689464b589db952024fdceb9be9cad5b6de62a34464cbbdcf9fbd794
SHA512f60c164dac8ad97c29b7eed95faede499fed3716e93ca6661455b2654be646e071f957f111de33a1a36d69e770b445d2689e9473223ae3a5cb1eadb8ab8ad940
-
Filesize
894KB
MD51e8abd8665102f9af51dea144cdba40c
SHA1fc5a4f7f5ee913b7d7491fc763f7f9a3afd9ec66
SHA256dd9d41925641ddea1a53230a5a9abe535f4b8f0a03d6a7df998cd9e563a30936
SHA5124de629e2eccee1ae37a75ca12790bfe7d9f9744b84daf99ce962ab1e55e98e58d5aa6bb135210c694c3f95eb4497297274059dba30c67ca1fa1a731e49f7ee4a