Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 14:00
Static task
static1
Behavioral task
behavioral1
Sample
38fb4e2e554987e3385470f694ec1f47.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
38fb4e2e554987e3385470f694ec1f47.exe
Resource
win10v2004-20231215-en
General
-
Target
38fb4e2e554987e3385470f694ec1f47.exe
-
Size
57KB
-
MD5
38fb4e2e554987e3385470f694ec1f47
-
SHA1
5b90e9e0117f2338ce5259491d7f641dbbbeef50
-
SHA256
5b4d80e66ae2803af5015c7b105247fa0a12953381896e3ef0a93c39b4556951
-
SHA512
db3af8593bd908c066c0be0cc587c27c36bb188bf21037d6c89cdfd2bf54677cbd5c208b3c81d8320d8920eee446a0a55012d0d6f1b1f2047e05b4999f66f140
-
SSDEEP
1536:h8ml7kajLRvxP/Ph8o4kUasb41x4jq9m7J:KeII3HPmS6M1x4jJ9
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2828 38fb4e2e554987e3385470f694ec1f47.exe -
Executes dropped EXE 1 IoCs
pid Process 2828 38fb4e2e554987e3385470f694ec1f47.exe -
Loads dropped DLL 1 IoCs
pid Process 3028 38fb4e2e554987e3385470f694ec1f47.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3028 38fb4e2e554987e3385470f694ec1f47.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3028 38fb4e2e554987e3385470f694ec1f47.exe 2828 38fb4e2e554987e3385470f694ec1f47.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2828 3028 38fb4e2e554987e3385470f694ec1f47.exe 29 PID 3028 wrote to memory of 2828 3028 38fb4e2e554987e3385470f694ec1f47.exe 29 PID 3028 wrote to memory of 2828 3028 38fb4e2e554987e3385470f694ec1f47.exe 29 PID 3028 wrote to memory of 2828 3028 38fb4e2e554987e3385470f694ec1f47.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\38fb4e2e554987e3385470f694ec1f47.exe"C:\Users\Admin\AppData\Local\Temp\38fb4e2e554987e3385470f694ec1f47.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\38fb4e2e554987e3385470f694ec1f47.exeC:\Users\Admin\AppData\Local\Temp\38fb4e2e554987e3385470f694ec1f47.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2828
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5233777560e1c6821a7186a97f8a7135d
SHA11e34aac909660888fc2ada35c26279f0cde17129
SHA25685b82c3977c4e5d9e4e500c3d50980bb286331f21349a5e2e22fe32eee2294fb
SHA5126b2d89c622e95eb1bf41e5b0a3ddc5cb455564a44e621c002f2146b645358f0ca397777560f5dc002d914698c134554e3d2941257e871aeacb32174f93b45a7d