Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 02:35
Static task
static1
Behavioral task
behavioral1
Sample
24aa2147f860007f151193a902987783.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
24aa2147f860007f151193a902987783.exe
Resource
win10v2004-20231222-en
General
-
Target
24aa2147f860007f151193a902987783.exe
-
Size
18KB
-
MD5
24aa2147f860007f151193a902987783
-
SHA1
ab6f3c1f5a03e1fe48566a85a44641f0e95a910f
-
SHA256
18894690e6634617b06f2b6d27710696edaed54bd40fd4462d408213560d1252
-
SHA512
3a2f0f4752ceafc1a7d88799ba2f4da06db32209435c47e1ab5e0f15dc182ba450cc9caf4ef1519b7b147d7dc80ee02c4fcd7d42ff43f22bb1d90a01721c4869
-
SSDEEP
384:mnrHV2vDWpqoiQzNAgw5StyRRI9OfQCjvYg3FLJWQBrlqhTl:mrHV2IqVQzNAgwY4oCMg3bW8r4l
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1112 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2076 svchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\dfoldesr.dll 24aa2147f860007f151193a902987783.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2220 set thread context of 2076 2220 24aa2147f860007f151193a902987783.exe 28 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2220 24aa2147f860007f151193a902987783.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2076 2220 24aa2147f860007f151193a902987783.exe 28 PID 2220 wrote to memory of 2076 2220 24aa2147f860007f151193a902987783.exe 28 PID 2220 wrote to memory of 2076 2220 24aa2147f860007f151193a902987783.exe 28 PID 2220 wrote to memory of 2076 2220 24aa2147f860007f151193a902987783.exe 28 PID 2220 wrote to memory of 2076 2220 24aa2147f860007f151193a902987783.exe 28 PID 2220 wrote to memory of 1112 2220 24aa2147f860007f151193a902987783.exe 29 PID 2220 wrote to memory of 1112 2220 24aa2147f860007f151193a902987783.exe 29 PID 2220 wrote to memory of 1112 2220 24aa2147f860007f151193a902987783.exe 29 PID 2220 wrote to memory of 1112 2220 24aa2147f860007f151193a902987783.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\24aa2147f860007f151193a902987783.exe"C:\Users\Admin\AppData\Local\Temp\24aa2147f860007f151193a902987783.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Loads dropped DLL
PID:2076
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\DEL.bat2⤵
- Deletes itself
PID:1112
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD59db1945c8a2dae8b699ef8d22090fd28
SHA11b6a630a5ab247e465a4e336c6de304f7251f8e4
SHA256c530973ccff7197e48b83bec9e172197a6633c38cbeffe410ad4563c17312b9c
SHA512f856a465caea5f4c3e83ffe8d32220b1214210d9de8eb415324deef23956a0a7117d7403a26f58ccb09a13eb840671974b4d6b50b8b18750c61f60469952cb67
-
Filesize
18KB
MD56563589cd1607cbec8d7a2f080a18275
SHA1b7ae0152ac0282e8b260d147358553a3540fa639
SHA256595cb3c7a10349fb661436df8a254ec78bb7f19f24071f4e416549859ec5d739
SHA5121cf7918e95ac62dba60f049a57cf883239c3c62ab0d94104e5e036bf858f72b4c207df11af5d3efb92b991cd55561a8d003d2c5e5778ada539f491d0405c9ac5