Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 00:06
Behavioral task
behavioral1
Sample
2112644c978fa5f73525fc9cc109de54.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2112644c978fa5f73525fc9cc109de54.exe
Resource
win10v2004-20231215-en
General
-
Target
2112644c978fa5f73525fc9cc109de54.exe
-
Size
1.3MB
-
MD5
2112644c978fa5f73525fc9cc109de54
-
SHA1
9574740174a1f1d51e3ba7138f44f9badbb0b7a5
-
SHA256
a219618e67d113573c5d3d2638705f670415ba28ea8508e1fec029a2a877df2c
-
SHA512
22bee2905fff68af011223bdf8a64d2b3f30c359ff46bebbba0d1fdbd60b8b132a0f03079d7982b8a804451f079901a95d9f646b2d3dc0618f073c76f4cf6639
-
SSDEEP
24576:ovDm8UhABGFhs7VgcL3UalJRpbO6bpqcl0F6hJivNEshWc:ovDu9FhNAX/RpC6bpqLUhMhp
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2976 2112644c978fa5f73525fc9cc109de54.exe -
Executes dropped EXE 1 IoCs
pid Process 2976 2112644c978fa5f73525fc9cc109de54.exe -
Loads dropped DLL 1 IoCs
pid Process 1816 2112644c978fa5f73525fc9cc109de54.exe -
resource yara_rule behavioral1/memory/1816-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000a00000001225b-10.dat upx behavioral1/memory/1816-15-0x00000000034D0000-0x00000000039BF000-memory.dmp upx behavioral1/files/0x000a00000001225b-13.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1816 2112644c978fa5f73525fc9cc109de54.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1816 2112644c978fa5f73525fc9cc109de54.exe 2976 2112644c978fa5f73525fc9cc109de54.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1816 wrote to memory of 2976 1816 2112644c978fa5f73525fc9cc109de54.exe 26 PID 1816 wrote to memory of 2976 1816 2112644c978fa5f73525fc9cc109de54.exe 26 PID 1816 wrote to memory of 2976 1816 2112644c978fa5f73525fc9cc109de54.exe 26 PID 1816 wrote to memory of 2976 1816 2112644c978fa5f73525fc9cc109de54.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\2112644c978fa5f73525fc9cc109de54.exe"C:\Users\Admin\AppData\Local\Temp\2112644c978fa5f73525fc9cc109de54.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\2112644c978fa5f73525fc9cc109de54.exeC:\Users\Admin\AppData\Local\Temp\2112644c978fa5f73525fc9cc109de54.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2976
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD59ba5b600421646fbc255e477d5fe71e3
SHA10d258fbcb4ee9d3aefc39980a9e9bc82d29c93aa
SHA256fac0a85c13b1c3d58739efb0917e78fc32fb1ff745c20080c4184f175745cb7c
SHA5126fc4512481d878fe8df2da777d5164dacd9def051e0aa783fc7138af61a1bb19021cd2f6cb1a2cf44a6fbd98e340a3960ed26fb912b60966e2a395ac0f9f5dd8
-
Filesize
158KB
MD58a239975086e3eeb7c0ed4c8dbf2e3f6
SHA104abcd5fbadc97c0df90e93575778ce3e9d9bb69
SHA256e9235dbc424b9a54c7cb23b42d138f083735465bbb77a8ed89065be37bae7d77
SHA512ef1c60afdf98bb3018f9c4827e52abdbe39617f688b3f623e74f46a66752a4a4f652addd82885857dc81894fe87dab8acbeb3ef6a2cb1e29695f70b352eef7ba