Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 00:34
Behavioral task
behavioral1
Sample
21df7b89e709cb3f8d3dec426de9db49.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
21df7b89e709cb3f8d3dec426de9db49.exe
Resource
win10v2004-20231222-en
General
-
Target
21df7b89e709cb3f8d3dec426de9db49.exe
-
Size
1.3MB
-
MD5
21df7b89e709cb3f8d3dec426de9db49
-
SHA1
646cf7f0366f2dbc7c49594420772f9bd7f7ea05
-
SHA256
02236c199aef0eb74f2131038a2e22d17d46be9fb57c0f3733b2571d44fffd39
-
SHA512
a217184c9a94a7dffa9f02e64f6ca537c9f6324a6bdca982a5c38531b1a36c6047c9c5ef47069bd3c556d903eebab23325b64b9cae05825fefee2afddeb82ad6
-
SSDEEP
24576:vQJ45dmKJXUkQMaaNZxU2D8JWkjJMZ2nCSXuZ7XXoV5diuRucdkgWc:UodLBEa7C22zJMZwvuZEBiuRuwvp
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2732 21df7b89e709cb3f8d3dec426de9db49.exe -
Executes dropped EXE 1 IoCs
pid Process 2732 21df7b89e709cb3f8d3dec426de9db49.exe -
Loads dropped DLL 1 IoCs
pid Process 624 21df7b89e709cb3f8d3dec426de9db49.exe -
resource yara_rule behavioral1/memory/624-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000b000000012261-10.dat upx behavioral1/files/0x000b000000012261-15.dat upx behavioral1/memory/2732-16-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/memory/624-14-0x00000000034D0000-0x00000000039BF000-memory.dmp upx behavioral1/files/0x000b000000012261-12.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 624 21df7b89e709cb3f8d3dec426de9db49.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 624 21df7b89e709cb3f8d3dec426de9db49.exe 2732 21df7b89e709cb3f8d3dec426de9db49.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 624 wrote to memory of 2732 624 21df7b89e709cb3f8d3dec426de9db49.exe 28 PID 624 wrote to memory of 2732 624 21df7b89e709cb3f8d3dec426de9db49.exe 28 PID 624 wrote to memory of 2732 624 21df7b89e709cb3f8d3dec426de9db49.exe 28 PID 624 wrote to memory of 2732 624 21df7b89e709cb3f8d3dec426de9db49.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\21df7b89e709cb3f8d3dec426de9db49.exe"C:\Users\Admin\AppData\Local\Temp\21df7b89e709cb3f8d3dec426de9db49.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\21df7b89e709cb3f8d3dec426de9db49.exeC:\Users\Admin\AppData\Local\Temp\21df7b89e709cb3f8d3dec426de9db49.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2732
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
980KB
MD532ad738f7117ef0ccd87e99d52e30415
SHA1d86a12d2bd57b972faeaf2cb24dcbff220412492
SHA256fc1e316aa31ccf651341e4a4b2300282114dbfc39af591c31531a2119c8f0d06
SHA51275892d6befe5d6d1d0cf5d6f780a1a97a42a1c436e30ec5ec953728f65ebb32d94c08d6027220bd9193c86aac822bf3817545e73dce899eda43edb39e63d3144
-
Filesize
576KB
MD54b3fd9429d6b030225bb8b91d42395e1
SHA155ba39fcf46368778e14808769c9c699721e9401
SHA25644e4a48c9cc1da3438eb108e0e0a51f26ece0857e1d8c953ae2051e39bf9c3d1
SHA512bdde7e96ee48ac18daa76443959b142949ead26d830db237a1b3f9461f5f57205e82828710e9de67875b93077e9cef34684e266726a978a6a5368b593ee6dade
-
Filesize
1.3MB
MD55e5ed1028375c13a3b159f7f6128dfac
SHA13ba5444973f64d94afdfd16e9aad1eafe436f5fc
SHA256432b38f86ba293b8237b2f9643869f30297cfe6450662a3f033ad6253cf797ee
SHA512340859137b256c8689c596b488a104536d1ad8b0057dffb9efc2bc00f6ac479f2368bea89e46ef1d177dc8b32e7d280da731c48914f4d44cd9bc55696934d631