Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
05/01/2024, 04:43
Behavioral task
behavioral1
Sample
42c986807d74e6ca257bb32bc77c46a7.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
42c986807d74e6ca257bb32bc77c46a7.exe
Resource
win10v2004-20231215-en
General
-
Target
42c986807d74e6ca257bb32bc77c46a7.exe
-
Size
2.7MB
-
MD5
42c986807d74e6ca257bb32bc77c46a7
-
SHA1
ad93a9b554c8ee475a3ab728b8f0722915b28b65
-
SHA256
21d834eeece11735e2a289c2903fdaa032a8d4e0810bbfe6d04ac3792cf5243c
-
SHA512
d29ece1fbae29bbdf7904774109671ffa86e4b01d7e3e8c92d778acfda3ecf29ab3ffdf00dbc27d67905bc0d1b41c82a619b6ab67cf98dca8b1eedc18ab8d581
-
SSDEEP
49152:JgKbxJMN3w5cAmPvAyobWMz2DyR9cF5OonzWMnpMax+SW0IcWpAfejR9j:JgGM3w5cAEvgRRHcFoLWT+SW0xWvHj
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2980 42c986807d74e6ca257bb32bc77c46a7.exe -
Executes dropped EXE 1 IoCs
pid Process 2980 42c986807d74e6ca257bb32bc77c46a7.exe -
Loads dropped DLL 1 IoCs
pid Process 2856 42c986807d74e6ca257bb32bc77c46a7.exe -
resource yara_rule behavioral1/files/0x000a0000000133a9-13.dat upx behavioral1/files/0x000a0000000133a9-12.dat upx behavioral1/files/0x000a0000000133a9-10.dat upx behavioral1/memory/2856-0-0x0000000000400000-0x00000000008E7000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2856 42c986807d74e6ca257bb32bc77c46a7.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2856 42c986807d74e6ca257bb32bc77c46a7.exe 2980 42c986807d74e6ca257bb32bc77c46a7.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2980 2856 42c986807d74e6ca257bb32bc77c46a7.exe 17 PID 2856 wrote to memory of 2980 2856 42c986807d74e6ca257bb32bc77c46a7.exe 17 PID 2856 wrote to memory of 2980 2856 42c986807d74e6ca257bb32bc77c46a7.exe 17 PID 2856 wrote to memory of 2980 2856 42c986807d74e6ca257bb32bc77c46a7.exe 17
Processes
-
C:\Users\Admin\AppData\Local\Temp\42c986807d74e6ca257bb32bc77c46a7.exe"C:\Users\Admin\AppData\Local\Temp\42c986807d74e6ca257bb32bc77c46a7.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\42c986807d74e6ca257bb32bc77c46a7.exeC:\Users\Admin\AppData\Local\Temp\42c986807d74e6ca257bb32bc77c46a7.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2980
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5b9e88fa1ce434c2f777096e2fe496da5
SHA1eeb85c5bb758d8a0cfb9505dac28fc143516b81d
SHA256c45536db337d4a08336313a2aa365564e7a24aa4ff52a5df2a70b9082de9dc57
SHA5126f80ab8739c24548d98195888d5a1dd7b74a922fff28ffe3e8a3533d8d651fbf1e3dcc340a0671868d9040fc6651ab5b1de69856e0f619b44d07b76b704fd1e4
-
Filesize
79KB
MD579c32a41d13bbe919c77809abf4a793d
SHA15e1a086efdb2acf6ec6a9578e041c4e85868206a
SHA2569afc4d8abe63a53c9f459c55079d90ae329197a91a5ddfc83341868fe8e3f9b6
SHA5120f3869528324f352459fbfd51652d538651226f0978235d0764753e8030a4103be93efcb3bea1ee8b887b30380f92aaa3185b64787a23e3a5fd810f080ec0912
-
Filesize
29KB
MD5c9620223f2c938e4a528eb28b6d236b8
SHA14a9015a0a84b0a103d172f3c495ca1d7d4909e3d
SHA256d0cadde908d39aaf1f00ab047174ba818c417c72fa9bf1f82e47d6151cfc468f
SHA512f02cd40f0ac66e3b1e2c6e64f9e263fef07d2534129cdd6ceef1ea2d080bbac8cb3836785d96215a32e06bb9a7fb73a416c418769d639f4f7bed1ef7d890d517