Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
12s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10/01/2024, 09:14
Static task
static1
Behavioral task
behavioral1
Sample
502d5a8ea213fa5e8b3220608069dc99.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
502d5a8ea213fa5e8b3220608069dc99.exe
Resource
win10v2004-20231215-en
General
-
Target
502d5a8ea213fa5e8b3220608069dc99.exe
-
Size
506KB
-
MD5
502d5a8ea213fa5e8b3220608069dc99
-
SHA1
e06ac2805a83943f3cf07e035017aeff60577e98
-
SHA256
fc78b0f70bc1f75ba095fec002d434bc5045b5e0b5d780757bd6e43b3ebe9095
-
SHA512
1f273c7a2e48c047413ff6c9dbbd2eb359d0035f0f1d5166dc5e1eb4617bab52c029351ece5357c9677f602d67958f53dc694b379df0fac943ae0fbc4b1aca4a
-
SSDEEP
12288:x4W5Vte2Gd0QFZeiPsPzYRomUqPkCzSZ/jC:xV5WWQFZeiUPzYRvg/+
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2992 502d5a8ea213fa5e8b3220608069dc99.exe -
Executes dropped EXE 1 IoCs
pid Process 2992 502d5a8ea213fa5e8b3220608069dc99.exe -
Loads dropped DLL 1 IoCs
pid Process 2928 502d5a8ea213fa5e8b3220608069dc99.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2992 502d5a8ea213fa5e8b3220608069dc99.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2792 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2992 502d5a8ea213fa5e8b3220608069dc99.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2928 502d5a8ea213fa5e8b3220608069dc99.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2928 502d5a8ea213fa5e8b3220608069dc99.exe 2992 502d5a8ea213fa5e8b3220608069dc99.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2992 2928 502d5a8ea213fa5e8b3220608069dc99.exe 16 PID 2928 wrote to memory of 2992 2928 502d5a8ea213fa5e8b3220608069dc99.exe 16 PID 2928 wrote to memory of 2992 2928 502d5a8ea213fa5e8b3220608069dc99.exe 16 PID 2928 wrote to memory of 2992 2928 502d5a8ea213fa5e8b3220608069dc99.exe 16 PID 2992 wrote to memory of 2792 2992 502d5a8ea213fa5e8b3220608069dc99.exe 14 PID 2992 wrote to memory of 2792 2992 502d5a8ea213fa5e8b3220608069dc99.exe 14 PID 2992 wrote to memory of 2792 2992 502d5a8ea213fa5e8b3220608069dc99.exe 14 PID 2992 wrote to memory of 2792 2992 502d5a8ea213fa5e8b3220608069dc99.exe 14
Processes
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\502d5a8ea213fa5e8b3220608069dc99.exe" /TN Google_Trk_Updater /F1⤵
- Creates scheduled task(s)
PID:2792
-
C:\Users\Admin\AppData\Local\Temp\502d5a8ea213fa5e8b3220608069dc99.exeC:\Users\Admin\AppData\Local\Temp\502d5a8ea213fa5e8b3220608069dc99.exe1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2992
-
C:\Users\Admin\AppData\Local\Temp\502d5a8ea213fa5e8b3220608069dc99.exe"C:\Users\Admin\AppData\Local\Temp\502d5a8ea213fa5e8b3220608069dc99.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD58ecee529b6cc055894183f717bdde0e6
SHA1891e0479d6dd526280dbade500ef39e51df28fe7
SHA2564c4651f7fecb4d6209ab8061907c08a9c5e3ef5ae43b0fb07e8335514c3c7eba
SHA512c73e6e2222b4bf3131a55d1c2464399e42eb8c0facabd022758ca9698d2bb40734117d1c7ed65a0d2ebdce4a0ee51caecb70220e0a08e1becc8ad7b0620769fd
-
Filesize
1KB
MD530e18a67f4840124de25d47cdd305676
SHA1c9bbc42864c47f97998a529c42295579a4460255
SHA256f8bc42127dc114b16140f6eb3b4ccecf605f0c138ba75590fcf111eae95edd31
SHA512f04a4c7ee7980a6fc7d2d6f6dcefa4644a7bf2cc851b829a76ac50f79383f196764009ac92dcdc0cdd1b856b6d7cb003080fac25a28473269b8a360e71826dce
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
1KB
MD5fa527dcd6b5eb05e72fc51570a2a6608
SHA13380c5ef74408265fba2f67e790636d0ad0a51cc
SHA2564dc7a4a6cb3be2c334a27a49df89f18f8f91749fe6aa1cf28d548e0e0c75ce3d
SHA51205c0e217c433949cab210102a26ca7f6a765515b228b217e25c7409408fc167b5a59a8494e1181284e9ec72849c90288f3a066faa284e29d871097ec76291a5a
-
Filesize
17KB
MD54e1497f4faaa854711a19f3cde3ebac1
SHA11fea958b9a17cbe9beda420c1aad408b9d6334cb
SHA256c1c46afa67191d91bfbc1b0cb0e7693ca9a97121a083150bd9bb2c7a5a1eab35
SHA51271522cc4d9259ad37b3d9b9ee6686ca21f26b0c1b465894b907cb5738384a4b1cb63ca46513639bf62a163c1ed842d862c00734e5b5d5b6676a56ed375f431d4