Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2024, 08:28
Behavioral task
behavioral1
Sample
4af0345135b9c15bbaa83bbb899f1aa6.exe
Resource
win7-20231129-en
General
-
Target
4af0345135b9c15bbaa83bbb899f1aa6.exe
-
Size
2.9MB
-
MD5
4af0345135b9c15bbaa83bbb899f1aa6
-
SHA1
16979365303a22fa6f57e17f6e5d201a07d011e7
-
SHA256
d5bf1d1238bcd9141ead1a17ad06825efe9cf24fdf7ee7c2e35e90ce45b6d065
-
SHA512
f68bdb408f72e77d2836faddea0368cae3fb8d461eb66a6200243d5ceb90cd65d3e8bc84072286b3433985cec0539cc2c5713b1a31697de5187a7f2573c3a4b5
-
SSDEEP
49152:C9afAFQ2AgWHek3joDBtJP0N74NH5HUyNRcUsCVOzetdZJ:CB+2uHeEolti4HBUCczzM3
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 2368 4af0345135b9c15bbaa83bbb899f1aa6.exe -
Executes dropped EXE 1 IoCs
pid Process 2368 4af0345135b9c15bbaa83bbb899f1aa6.exe -
resource yara_rule behavioral2/memory/2368-14-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x000600000001e5df-11.dat upx behavioral2/memory/388-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 388 4af0345135b9c15bbaa83bbb899f1aa6.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 388 4af0345135b9c15bbaa83bbb899f1aa6.exe 2368 4af0345135b9c15bbaa83bbb899f1aa6.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 388 wrote to memory of 2368 388 4af0345135b9c15bbaa83bbb899f1aa6.exe 19 PID 388 wrote to memory of 2368 388 4af0345135b9c15bbaa83bbb899f1aa6.exe 19 PID 388 wrote to memory of 2368 388 4af0345135b9c15bbaa83bbb899f1aa6.exe 19
Processes
-
C:\Users\Admin\AppData\Local\Temp\4af0345135b9c15bbaa83bbb899f1aa6.exe"C:\Users\Admin\AppData\Local\Temp\4af0345135b9c15bbaa83bbb899f1aa6.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Local\Temp\4af0345135b9c15bbaa83bbb899f1aa6.exeC:\Users\Admin\AppData\Local\Temp\4af0345135b9c15bbaa83bbb899f1aa6.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2368
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD52032b4cbee42f8cb18d53089832fa9a0
SHA134a8edd8b0d7e7cea21663db143ecec5603e30ca
SHA256254107f19bf4cf5bb75e816ead8b1492155db185ffcbe9a9969d89be0092f34f
SHA512cb42819220fb35ed50040e0147b9f9357d314e60b2c239c970447b2085b0fee45344fb6d24a85e3609813647f589e27bc0ec92cb151e4b87c5085c2f1c584679