Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10/01/2024, 13:02
Behavioral task
behavioral1
Sample
50a0461dc5082d1fa607e60aa3eb3909.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
50a0461dc5082d1fa607e60aa3eb3909.exe
Resource
win10v2004-20231222-en
General
-
Target
50a0461dc5082d1fa607e60aa3eb3909.exe
-
Size
1.3MB
-
MD5
50a0461dc5082d1fa607e60aa3eb3909
-
SHA1
8797123f7ce92e0379c3dfed596810f5911b76ec
-
SHA256
79299bb57e1c93da5f037b968610eedd70792c408899347c42e24da57a92c33d
-
SHA512
3cbad362f5167ec13d0c04e6bbf282f617285ba531de6b70bd46e602aab224f4ee04ca38f1bae98ec23948aad1ecd97ad9c099c487e0a58d25f0a07247bde5fa
-
SSDEEP
24576:6/jBVZs8eUzSmTzhHZKri0erFsYYetoWtdRxKZ79xj01ZvG:KjBle0Pki0erFsYYehtzxQ5R01
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2344 50a0461dc5082d1fa607e60aa3eb3909.exe -
Executes dropped EXE 1 IoCs
pid Process 2344 50a0461dc5082d1fa607e60aa3eb3909.exe -
Loads dropped DLL 1 IoCs
pid Process 2880 50a0461dc5082d1fa607e60aa3eb3909.exe -
resource yara_rule behavioral1/memory/2880-0-0x0000000000400000-0x000000000086A000-memory.dmp upx behavioral1/files/0x0008000000012255-11.dat upx behavioral1/files/0x0008000000012255-16.dat upx behavioral1/memory/2880-15-0x00000000033D0000-0x000000000383A000-memory.dmp upx behavioral1/memory/2344-17-0x0000000000400000-0x000000000086A000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2880 50a0461dc5082d1fa607e60aa3eb3909.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2880 50a0461dc5082d1fa607e60aa3eb3909.exe 2344 50a0461dc5082d1fa607e60aa3eb3909.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2880 wrote to memory of 2344 2880 50a0461dc5082d1fa607e60aa3eb3909.exe 28 PID 2880 wrote to memory of 2344 2880 50a0461dc5082d1fa607e60aa3eb3909.exe 28 PID 2880 wrote to memory of 2344 2880 50a0461dc5082d1fa607e60aa3eb3909.exe 28 PID 2880 wrote to memory of 2344 2880 50a0461dc5082d1fa607e60aa3eb3909.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\50a0461dc5082d1fa607e60aa3eb3909.exe"C:\Users\Admin\AppData\Local\Temp\50a0461dc5082d1fa607e60aa3eb3909.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\50a0461dc5082d1fa607e60aa3eb3909.exeC:\Users\Admin\AppData\Local\Temp\50a0461dc5082d1fa607e60aa3eb3909.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2344
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5d796169737ff3c167cc7319a1b50761c
SHA1df0a2b648c090776424ad28083ef1e4878b6f9ce
SHA2562fc43f39544cd4dfdf5a0bd4ade6dac1cdaf39cc7678948ec341c13512cb966a
SHA5122affa36607610346d38c5552c758a2bb72b7590ccb16891889d31fe4375193c0de594f40abb4c21f7a7d3bbf266036a86e91e730afe0fe0070088887b2b1fa49
-
Filesize
1.2MB
MD5bce79d279c2086ff2516d28ff2b399b1
SHA1f7ea9e6885e755f16d3a52a8dd8b097f036ea211
SHA256a48b214c27934c7bbf2b80e09a1fcb07bc306c9479936b3698854f9edcf11085
SHA51277d6808092c23b6968dcd61d129f5de5823da14eed8f0510496c911ca4b63b524e4e7e37847dd7caa375bfc972b95533bafed9dc3298ff0be70fcde02ed0b7b5