Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/01/2024, 22:42
Behavioral task
behavioral1
Sample
3f36e8740da739d0e698abf67e775798.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3f36e8740da739d0e698abf67e775798.exe
Resource
win10v2004-20231222-en
General
-
Target
3f36e8740da739d0e698abf67e775798.exe
-
Size
26KB
-
MD5
3f36e8740da739d0e698abf67e775798
-
SHA1
adcd1e56970840e101fcf4e2094acbb902cb8877
-
SHA256
4710c579e5e06e66073a67738fcf9bfd216864509c7e03270f40c7311d0425fe
-
SHA512
285fda3a664d58cb46534e071681eedd7937b8bc91b5fdccb6c9dd706604c322906c6a86518d1a390c60c5248e9bb60fe45a4bc8f60a587377d558567175f6f7
-
SSDEEP
768:d3VIGQV6AJUNh3CTb1Xw6NkOz2Nx1lJkkh8Uzm:d3urpJUNFc5ExvC7
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1104 svchost.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dxdiag.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dxdiag.exe svchost.exe -
resource yara_rule behavioral1/memory/2236-0-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/files/0x000c000000012243-10.dat upx -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2236 3f36e8740da739d0e698abf67e775798.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2236 wrote to memory of 1104 2236 3f36e8740da739d0e698abf67e775798.exe 28 PID 2236 wrote to memory of 1104 2236 3f36e8740da739d0e698abf67e775798.exe 28 PID 2236 wrote to memory of 1104 2236 3f36e8740da739d0e698abf67e775798.exe 28 PID 2236 wrote to memory of 1104 2236 3f36e8740da739d0e698abf67e775798.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f36e8740da739d0e698abf67e775798.exe"C:\Users\Admin\AppData\Local\Temp\3f36e8740da739d0e698abf67e775798.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
- Drops startup file
PID:1104
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD53f36e8740da739d0e698abf67e775798
SHA1adcd1e56970840e101fcf4e2094acbb902cb8877
SHA2564710c579e5e06e66073a67738fcf9bfd216864509c7e03270f40c7311d0425fe
SHA512285fda3a664d58cb46534e071681eedd7937b8bc91b5fdccb6c9dd706604c322906c6a86518d1a390c60c5248e9bb60fe45a4bc8f60a587377d558567175f6f7