Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/02/2024, 07:07
Behavioral task
behavioral1
Sample
88e08d2ea65b67e0887fbc3cd528a675.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
88e08d2ea65b67e0887fbc3cd528a675.exe
Resource
win10v2004-20231215-en
General
-
Target
88e08d2ea65b67e0887fbc3cd528a675.exe
-
Size
4.4MB
-
MD5
88e08d2ea65b67e0887fbc3cd528a675
-
SHA1
c122e9c54aff1bc53b123161ec0c068ab2de8434
-
SHA256
c48966c086bd96f08086b25818b02275aec8c65623526ea4b0aabf79b527f8e7
-
SHA512
219fa35aca7d935497d1489fd30133e04e92b5f8fb032a174e135f74d0ca8d42a7fc7c708a408094efa54f5ebf75829aa3b253811f5fef45f818325b827b9c2f
-
SSDEEP
98304:+BPyrSVIqI+zH4HBUCcqFp1HK3UT4NT4HBUCcg:+ZyrSG+0WC/f1q3ULWCX
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 2376 88e08d2ea65b67e0887fbc3cd528a675.exe -
Executes dropped EXE 1 IoCs
pid Process 2376 88e08d2ea65b67e0887fbc3cd528a675.exe -
Loads dropped DLL 1 IoCs
pid Process 1932 88e08d2ea65b67e0887fbc3cd528a675.exe -
resource yara_rule behavioral1/memory/1932-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x0008000000012248-14.dat upx behavioral1/files/0x0008000000012248-10.dat upx behavioral1/memory/2376-16-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1932 88e08d2ea65b67e0887fbc3cd528a675.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1932 88e08d2ea65b67e0887fbc3cd528a675.exe 2376 88e08d2ea65b67e0887fbc3cd528a675.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1932 wrote to memory of 2376 1932 88e08d2ea65b67e0887fbc3cd528a675.exe 28 PID 1932 wrote to memory of 2376 1932 88e08d2ea65b67e0887fbc3cd528a675.exe 28 PID 1932 wrote to memory of 2376 1932 88e08d2ea65b67e0887fbc3cd528a675.exe 28 PID 1932 wrote to memory of 2376 1932 88e08d2ea65b67e0887fbc3cd528a675.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe"C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exeC:\Users\Admin\AppData\Local\Temp\88e08d2ea65b67e0887fbc3cd528a675.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2376
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD5954b70ae1625fcbe983967fa02af301f
SHA1f6d00d9c38aeac9cfcac04df68e5050f11b0e3fc
SHA2565f55ee50b6b354789428fa21904010f03f413f3512481399287b9405edf527d8
SHA5124b031eeaf5896af95e5b5c7c9f5489c144ef9f5b4a2da7a71b69716729416408647c3bf9a88ee3b1d378e890a5e6a4825aba051aac0d7ef3ca8c8122335d59ea
-
Filesize
4.4MB
MD54499be1deec0e3ffe73b2cb494ac1acd
SHA12a4a199165c25aa0a5a65649c1df655f30cda99e
SHA2569e99954e26e0f75f3ed6c8d391ef1751d24ca4a2c3070ff03fd0011741b9e0ce
SHA512909aa8bf6c07bd3c6ade2ac11eaf16ba921a2df8bd8e5805efdfa8a05707204db4e26c966ab9b5e50fb39d2e8fa5122e17aa4aa66b23ec11d916e8b4c06d4a2d