Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2024, 09:21
Behavioral task
behavioral1
Sample
7f7847c2a5af54670396919230856fa8.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7f7847c2a5af54670396919230856fa8.exe
Resource
win10v2004-20231215-en
General
-
Target
7f7847c2a5af54670396919230856fa8.exe
-
Size
1.3MB
-
MD5
7f7847c2a5af54670396919230856fa8
-
SHA1
541be05560a7ea71e4763ed3d1ddbd7bbf0eb02b
-
SHA256
72932e331ae267612bceb96adbb18e8995ad94c45c873a88ab1913adacd3127f
-
SHA512
5e5e885de14ad683dd23f2f63b00b138dee31377d8fa6d03100103eaeb5d572455aa6b497d1fbb759ee63f741ea3f2c9fc0a75aa1ce3e1276f262c6862327e0c
-
SSDEEP
24576:fTV4JmvUfxGX71ph1ItUT6vwRBpdNAohJvnKQ3stzWc:fTW5fMT5/DHHnKQ8p
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4808 7f7847c2a5af54670396919230856fa8.exe -
Executes dropped EXE 1 IoCs
pid Process 4808 7f7847c2a5af54670396919230856fa8.exe -
resource yara_rule behavioral2/memory/4200-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x0006000000023149-11.dat upx behavioral2/memory/4808-13-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4200 7f7847c2a5af54670396919230856fa8.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4200 7f7847c2a5af54670396919230856fa8.exe 4808 7f7847c2a5af54670396919230856fa8.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4200 wrote to memory of 4808 4200 7f7847c2a5af54670396919230856fa8.exe 84 PID 4200 wrote to memory of 4808 4200 7f7847c2a5af54670396919230856fa8.exe 84 PID 4200 wrote to memory of 4808 4200 7f7847c2a5af54670396919230856fa8.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f7847c2a5af54670396919230856fa8.exe"C:\Users\Admin\AppData\Local\Temp\7f7847c2a5af54670396919230856fa8.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\7f7847c2a5af54670396919230856fa8.exeC:\Users\Admin\AppData\Local\Temp\7f7847c2a5af54670396919230856fa8.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4808
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD503195aa1115686442919e958c3370cd2
SHA1eda7641b3c72e1a6763dcec71622cdb0c15e259f
SHA256a3bd629c1362e331b4581361efe6fdc83430f11a84eeb91658205772e6d9234f
SHA512fc408b875d7600a4d631aa79e18db7ef37e388d4e09f3cb9915de8565a5b7a7287d19f0aa4a6d0e8097c5e353219070f68417bdab398c4bcfbc1ebaf4291e5f1