Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 05:41
Behavioral task
behavioral1
Sample
2a6bd8248c77c755443ff72beb8d7caf.exe
Resource
win7-20231215-en
General
-
Target
2a6bd8248c77c755443ff72beb8d7caf.exe
-
Size
784KB
-
MD5
2a6bd8248c77c755443ff72beb8d7caf
-
SHA1
9e0b8f521a512d9f2c0a371bfc0427aeadb8a89d
-
SHA256
b6d80ed493487fcf4801f4e1087b54ed618e195e3d968ec8fcee6d2c4faac10a
-
SHA512
0a06622c68e79272ba0343d6957cf5b49814d4aa37560329f1cbfeec94f256724939738c20477c9876f25efc4ce08b6686a922a6a93221d358e2e0fc3bbf4a8f
-
SSDEEP
12288:LB16Cp19VnIvyaxz/KgejIvbpSgH4/19i0MIvp9z4fxbp6Pifg+aCs5NCxFM:tUCeyO2gQIjsgHEzi0MIvjKI5YM
Malware Config
Signatures
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral1/memory/284-1-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/284-15-0x0000000003110000-0x0000000003422000-memory.dmp xmrig behavioral1/memory/284-14-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2060-19-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2060-24-0x0000000003220000-0x00000000033B3000-memory.dmp xmrig behavioral1/memory/2060-25-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/2060-34-0x0000000000400000-0x0000000000587000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 2060 2a6bd8248c77c755443ff72beb8d7caf.exe -
Executes dropped EXE 1 IoCs
pid Process 2060 2a6bd8248c77c755443ff72beb8d7caf.exe -
Loads dropped DLL 1 IoCs
pid Process 284 2a6bd8248c77c755443ff72beb8d7caf.exe -
resource yara_rule behavioral1/memory/284-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral1/files/0x000b000000012255-10.dat upx behavioral1/files/0x000b000000012255-16.dat upx behavioral1/memory/2060-17-0x0000000000400000-0x0000000000712000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 284 2a6bd8248c77c755443ff72beb8d7caf.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 284 2a6bd8248c77c755443ff72beb8d7caf.exe 2060 2a6bd8248c77c755443ff72beb8d7caf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 284 wrote to memory of 2060 284 2a6bd8248c77c755443ff72beb8d7caf.exe 29 PID 284 wrote to memory of 2060 284 2a6bd8248c77c755443ff72beb8d7caf.exe 29 PID 284 wrote to memory of 2060 284 2a6bd8248c77c755443ff72beb8d7caf.exe 29 PID 284 wrote to memory of 2060 284 2a6bd8248c77c755443ff72beb8d7caf.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a6bd8248c77c755443ff72beb8d7caf.exe"C:\Users\Admin\AppData\Local\Temp\2a6bd8248c77c755443ff72beb8d7caf.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Users\Admin\AppData\Local\Temp\2a6bd8248c77c755443ff72beb8d7caf.exeC:\Users\Admin\AppData\Local\Temp\2a6bd8248c77c755443ff72beb8d7caf.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2060
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260KB
MD5689dc5e10305844d77befd482c02bb88
SHA1d0e8dc683ed331281c4ee631db2cf1656d0238db
SHA256654fd177e155b51898daa056dc6c5d95e8047e1d50f847284241398edaae5a26
SHA512fc5ea74152e12f24df6480ce113a7522351400d89e004bbea21110ce3a5d2467a725a652ae7aa912b918561df6b538d580542ea6498db2c7ffab0fa45b499ff7
-
Filesize
359KB
MD504a207bfce7f2bd139b5b086e9aea755
SHA182aa995fbaadd305ac54d7b825c0e98b0fe8ea6b
SHA256c160bc6a29d97d69300a2d0548871e4ec904fd5c0f17f6f12b98acf65ff2a71b
SHA51287e7bdb6449281c0e6ca55d6327a2e734bd9c7e1f04b763b4894496138399544bf95c5a92a106658119dea518947d6f5679ad7a6d988dbf3c3d5aa9b1546364b