Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10/01/2024, 13:06
Static task
static1
Behavioral task
behavioral1
Sample
50a2d7e4a6cfa3e8596ac960deee46f3.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
50a2d7e4a6cfa3e8596ac960deee46f3.exe
Resource
win10v2004-20231215-en
General
-
Target
50a2d7e4a6cfa3e8596ac960deee46f3.exe
-
Size
209KB
-
MD5
50a2d7e4a6cfa3e8596ac960deee46f3
-
SHA1
1ab53987da8edb27e0992326f492e01cfd21529d
-
SHA256
053bbbda869d3cd0f1f00178cf4fae3b6ef85f06bb3eeb874c2ca9f4af1670fc
-
SHA512
4588d973b31967093881c243c57330bd46811c00a5ac163bb698ca78eaa11db11d30cb88561c10835ff0e9e5c79806a15da902c74669c64d5e00da5021073580
-
SSDEEP
6144:DlUzl29na2Fi859T5Lue+PMXav5TgwzSW7:m49a2FDvJFKBTgw+W
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2204 u.dll 2472 u.dll 2756 mpress.exe -
Loads dropped DLL 6 IoCs
pid Process 3048 cmd.exe 3048 cmd.exe 3048 cmd.exe 3048 cmd.exe 2472 u.dll 2472 u.dll -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2240 wrote to memory of 3048 2240 50a2d7e4a6cfa3e8596ac960deee46f3.exe 29 PID 2240 wrote to memory of 3048 2240 50a2d7e4a6cfa3e8596ac960deee46f3.exe 29 PID 2240 wrote to memory of 3048 2240 50a2d7e4a6cfa3e8596ac960deee46f3.exe 29 PID 2240 wrote to memory of 3048 2240 50a2d7e4a6cfa3e8596ac960deee46f3.exe 29 PID 3048 wrote to memory of 2204 3048 cmd.exe 30 PID 3048 wrote to memory of 2204 3048 cmd.exe 30 PID 3048 wrote to memory of 2204 3048 cmd.exe 30 PID 3048 wrote to memory of 2204 3048 cmd.exe 30 PID 3048 wrote to memory of 2472 3048 cmd.exe 31 PID 3048 wrote to memory of 2472 3048 cmd.exe 31 PID 3048 wrote to memory of 2472 3048 cmd.exe 31 PID 3048 wrote to memory of 2472 3048 cmd.exe 31 PID 2472 wrote to memory of 2756 2472 u.dll 33 PID 2472 wrote to memory of 2756 2472 u.dll 33 PID 2472 wrote to memory of 2756 2472 u.dll 33 PID 2472 wrote to memory of 2756 2472 u.dll 33 PID 3048 wrote to memory of 2440 3048 cmd.exe 32 PID 3048 wrote to memory of 2440 3048 cmd.exe 32 PID 3048 wrote to memory of 2440 3048 cmd.exe 32 PID 3048 wrote to memory of 2440 3048 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\50a2d7e4a6cfa3e8596ac960deee46f3.exe"C:\Users\Admin\AppData\Local\Temp\50a2d7e4a6cfa3e8596ac960deee46f3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EC0.tmp\vir.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save 50a2d7e4a6cfa3e8596ac960deee46f3.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
PID:2204
-
-
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\2AB8.tmp\mpress.exe"C:\Users\Admin\AppData\Local\Temp\2AB8.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe2AB9.tmp"4⤵
- Executes dropped EXE
PID:2756
-
-
-
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵PID:2440
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5e42b81b9636152c78ba480c1c47d3c7f
SHA166a2fca3925428ee91ad9df5b76b90b34d28e0f8
SHA2567c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2
SHA5124b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e
-
Filesize
2KB
MD5b27ca5fb9b244bc5735cbe6e24be25f8
SHA10635f80dd9d507a156fb9ef295d331b9b2da837c
SHA2561d9a5c0de2b8ee3a44066c42d27f239aed93d76bebf3220b5366da132dce0491
SHA5124da97f624bfc6b8dd1effbf1aa4d416c62789387cae257c2b1f1f165a03e1a4ab7755642167f21b2263601facfc9c6bb5037c8e3a27cbf1fde28b553c4302a69
-
Filesize
24KB
MD5615cf02a831ad50dec9c776daff01ba3
SHA16d9f36270c32cfd8f33d22cb5647e3b559997790
SHA2562914430430416af4bf2e7b75306923518661cd7fcd7de9194c10902d7f1e58fa
SHA512a9b821ace1e6dac19b9060bc74393dc25e0d3c702449bba46af34e96731502873aa30c9957a32ac8e113bdb09ee9be87309fc79a7302bea01a97ce9e09913539
-
Filesize
41KB
MD5a2c3062fa164e9bfe5a343b4dcbc95c5
SHA13a9ab7db5f1a0c958828a58561779800532babee
SHA256abaa1cf5206bf5b210bb8673e718356cfce1b863f7429df9fb88dff486a9e642
SHA512cc3af460becb242a8e06c1906b49949a7d7fb4f622950ef9c3479f5143d70bb261c91131b402f98a34268d1d94ef45f4b521a09295360a231700ade6d739fd68
-
Filesize
700KB
MD511585f18c9216b57877b16053bfd5b47
SHA1aa3d4a53611dc2e8645a1473556e477ef4882dc4
SHA256dc21e0697b91315cbd903f8e3bd5fdd2085815da56fe5ca696d3b17dd09ae9cc
SHA51284218aa1df912e039948bbf6e9cc0f129bcc12f84d37a192a5d8e970d22ebb16bebc12cd8c7953a0488e32771503be74e0c40d0312972046723d647f8dd5741d
-
Filesize
2KB
MD5ab02efd1452b61f23d09a86635b090f8
SHA1040be81519f50dfe0df28ad54f68b5fe43c3603e
SHA256a096ca3b6fc9d1cf257efb60225eab8a6615e5d5e4c51b77ba710aa8b313ad11
SHA512855d2515e30e279ac8169713074459bc2a3daab3af02b861b3f9920a0df940e9305ab9faef67ca2963a6582e6ce317cc784461593fd169a752b28bffce5b82e7
-
Filesize
2KB
MD5ccc0829a8fc184b8dd0f2f44b64dd13c
SHA199fae6e99f6e5f2022e261919a811ae33139d7f8
SHA2561d7617e1083f4d35984ae62718088ddfdbab0c4450b7b4b6d8f0989024255b78
SHA512e001468f920db27eca8dce4c78f3c1c084be2494d38011761afab146ced05b2d0e170ab1942accfa4360bb6e5d880bcc591732b2df02720ef1bf0ee0733e708b
-
Filesize
313KB
MD589187e656a504dc6d81da382742a78a3
SHA1e5157ef3612dee6ca1b1b8cec3384b43b7a12d94
SHA2567f26c0219bfe83207ddb18ea44892f0b3fc726aa43d17946045038db091e6a02
SHA512119608621415ed994c89617835ff1e3c54bb409c2b9536b2b4589426c78835e41b49fc0db71ed8195d0b9e99d45e4d67b2e95360e5c756b1703b325d1c66a4a4