Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13/01/2024, 00:46
Behavioral task
behavioral1
Sample
578aa29e426d3ae376f524ef47e90430.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
578aa29e426d3ae376f524ef47e90430.exe
Resource
win10v2004-20231215-en
General
-
Target
578aa29e426d3ae376f524ef47e90430.exe
-
Size
1.6MB
-
MD5
578aa29e426d3ae376f524ef47e90430
-
SHA1
699a15a716e31912891bf9831864e1a0a7b5a541
-
SHA256
424d256feb47111e694ca7d64c052406e8309cd4abfc916a3f6fe671d3cd1c30
-
SHA512
45df8360029e9884681dd0dcb9b9715394c2e15ab2632ce398af7263c0dad8719bc604466f6ffc1db716e2bfce220a5ad1639c4af24a89e6874cbcdda411afe6
-
SSDEEP
24576:vFuVCIqyWhRg8GVUNVvxHAlDq6WFbPKGuvt2kTzfaZ49LyNOw87V3f5SBiWWI0td:vFuVUhnhXxLvRusAw2QsWP4d
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2992 578aa29e426d3ae376f524ef47e90430.exe -
Executes dropped EXE 1 IoCs
pid Process 2992 578aa29e426d3ae376f524ef47e90430.exe -
Loads dropped DLL 1 IoCs
pid Process 2968 578aa29e426d3ae376f524ef47e90430.exe -
resource yara_rule behavioral1/memory/2968-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000b000000015df1-12.dat upx behavioral1/memory/2968-13-0x0000000003550000-0x0000000003A3F000-memory.dmp upx behavioral1/files/0x000b000000015df1-15.dat upx behavioral1/files/0x000b000000015df1-10.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2968 578aa29e426d3ae376f524ef47e90430.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2968 578aa29e426d3ae376f524ef47e90430.exe 2992 578aa29e426d3ae376f524ef47e90430.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2968 wrote to memory of 2992 2968 578aa29e426d3ae376f524ef47e90430.exe 20 PID 2968 wrote to memory of 2992 2968 578aa29e426d3ae376f524ef47e90430.exe 20 PID 2968 wrote to memory of 2992 2968 578aa29e426d3ae376f524ef47e90430.exe 20 PID 2968 wrote to memory of 2992 2968 578aa29e426d3ae376f524ef47e90430.exe 20
Processes
-
C:\Users\Admin\AppData\Local\Temp\578aa29e426d3ae376f524ef47e90430.exe"C:\Users\Admin\AppData\Local\Temp\578aa29e426d3ae376f524ef47e90430.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\578aa29e426d3ae376f524ef47e90430.exeC:\Users\Admin\AppData\Local\Temp\578aa29e426d3ae376f524ef47e90430.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2992
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
233KB
MD50b9afaba501a078afb9d7583149663e4
SHA14f0943edffc1d224d6ecf2a593eccac1a1523cb1
SHA256fbf2fee00b89212ae8b3fd7d6eb486cd86f9c90ce4d66631ba0cb1c3c1165959
SHA5123dae02eb4d829692dbf33d1b07b0ff1d8e88941b59960a33fa619e14cf93f6fae20a6462a001ee2c24b0435e4f28a0d22317b85d36665137b8b80b68fd873174
-
Filesize
353KB
MD560cc4a80522eb146ec046f00a0a91654
SHA13b115f01a56b3971ff1042fca17694b80eae2268
SHA256b8459e53456419fe9d12fca8aaf0bf53c9dab2fc5f8fc8a65dbd59f9e2e8bd28
SHA5125e4e925f1daf0906091b7fa33dad6fe5b98900c5462f82c53182ef22860f898f5eb05777202960750936c1f49c8151b89c8a8b2c55bfb38e0bacaa7f8ae6d402
-
Filesize
159KB
MD545d6548dc1d5f3532767822ed0d700e5
SHA1596fb06d93ed8787cfa8924bf07f114320e140c1
SHA256f3e30f780ce47434ca52d747214e9f6dfd283ed6c8f9d0dbadf1bfee49322c89
SHA5120f658db5b5770d3d62c17ee4931977e5b855773407599c31f401e35b3bc954704d39896a446e7a51cd20484d02897bd97b741199f5fabcd31fa19d673cb41144