Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01/01/2024, 05:09
Behavioral task
behavioral1
Sample
3bf922c888d36d880d4abb9ab02a2007.exe
Resource
win7-20231215-en
General
-
Target
3bf922c888d36d880d4abb9ab02a2007.exe
-
Size
8KB
-
MD5
3bf922c888d36d880d4abb9ab02a2007
-
SHA1
882798e4aa557a7d6b49a27a86dd93f13fd7ad40
-
SHA256
e52fdf6405eea5e2619e4882658a9109ea803ead950dca8f0638aadd2ceaeee0
-
SHA512
f10337efe36e8f2124328a1e62e51433c6f3b3645897f2dc63f883321356f7268047cce6f84f890600b29a472861be4664a837d1f41b1bcff89a69b7953d2cd7
-
SSDEEP
192:zWizBojjLY2W9cOp1fFaNJhLkwcud2DH9VwGfctlnO:zuU2C3daNJawcudoD7Ui
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2536 b2e.exe -
Loads dropped DLL 2 IoCs
pid Process 1704 3bf922c888d36d880d4abb9ab02a2007.exe 1704 3bf922c888d36d880d4abb9ab02a2007.exe -
resource yara_rule behavioral1/memory/1704-1-0x0000000000400000-0x000000000040A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2536 1704 3bf922c888d36d880d4abb9ab02a2007.exe 18 PID 1704 wrote to memory of 2536 1704 3bf922c888d36d880d4abb9ab02a2007.exe 18 PID 1704 wrote to memory of 2536 1704 3bf922c888d36d880d4abb9ab02a2007.exe 18 PID 1704 wrote to memory of 2536 1704 3bf922c888d36d880d4abb9ab02a2007.exe 18 PID 2536 wrote to memory of 2804 2536 b2e.exe 17 PID 2536 wrote to memory of 2804 2536 b2e.exe 17 PID 2536 wrote to memory of 2804 2536 b2e.exe 17 PID 2536 wrote to memory of 2804 2536 b2e.exe 17
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bf922c888d36d880d4abb9ab02a2007.exe"C:\Users\Admin\AppData\Local\Temp\3bf922c888d36d880d4abb9ab02a2007.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\B85.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\B85.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B85.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\3bf922c888d36d880d4abb9ab02a2007.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BB4.tmp\batfile.bat" "1⤵PID:2804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5939a888808a8da6e1f8fe8a7a535d2a2
SHA19bc1c8aea0ad2d4afc8ccdb10983d5042a42580a
SHA2567b90facaba5111fff1f9da6c3b92ca9c884ee56e4a2f4324dbbe0e75352f1fb8
SHA5129e9028b7f7b3ee4daa2d96517c461420db1020eab110089dda65400634e9a5c8a92ce5c5c87f37a814acc52a286934ee33ac13f4521f997b44c2322fd0238b12