Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/02/2024, 14:37
Behavioral task
behavioral1
Sample
89c497d0127c669b86a52a5c6833b25c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
89c497d0127c669b86a52a5c6833b25c.exe
Resource
win10v2004-20231215-en
General
-
Target
89c497d0127c669b86a52a5c6833b25c.exe
-
Size
5.3MB
-
MD5
89c497d0127c669b86a52a5c6833b25c
-
SHA1
642634f79cd2db7f0caab3d5786608ad85cee4c8
-
SHA256
fd58415e0d71d7cb35d07cd6739d51f6cb486c11c37067dd2fe549fb2e9f0df8
-
SHA512
7bcd05a1a6525cc09f3d01a67081c05de60a93d8afee3a8847fd1025ce933ccd338fbaa9ddb19d2c888eacd2c5be996cf9ac5362476fd25b9b84b47b789565ca
-
SSDEEP
98304:9TXID5b9tsHnH8Keka3IAwWyk9HvCocbnuXADG266fH8Keka3IAwWyk9Hj:xXIDp9advS9lPCoGuAi266fdvS9lD
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1672 89c497d0127c669b86a52a5c6833b25c.exe -
Executes dropped EXE 1 IoCs
pid Process 1672 89c497d0127c669b86a52a5c6833b25c.exe -
Loads dropped DLL 1 IoCs
pid Process 2052 89c497d0127c669b86a52a5c6833b25c.exe -
resource yara_rule behavioral1/memory/2052-0-0x0000000000400000-0x00000000008E7000-memory.dmp upx behavioral1/files/0x000a00000001224a-10.dat upx behavioral1/files/0x000a00000001224a-13.dat upx behavioral1/memory/1672-17-0x0000000000400000-0x00000000008E7000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2052 89c497d0127c669b86a52a5c6833b25c.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2052 89c497d0127c669b86a52a5c6833b25c.exe 1672 89c497d0127c669b86a52a5c6833b25c.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2052 wrote to memory of 1672 2052 89c497d0127c669b86a52a5c6833b25c.exe 28 PID 2052 wrote to memory of 1672 2052 89c497d0127c669b86a52a5c6833b25c.exe 28 PID 2052 wrote to memory of 1672 2052 89c497d0127c669b86a52a5c6833b25c.exe 28 PID 2052 wrote to memory of 1672 2052 89c497d0127c669b86a52a5c6833b25c.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe"C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exeC:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1672
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.8MB
MD513ad5adb50368aecd8e55978cb47f22c
SHA18f2cf631131af42e9e7f40d7ffc62cf823e9a73f
SHA256bc18ad6ce3a0219271feece996be0d9c01e6bc732299fc90dc23614720b61431
SHA5125aaaf1e6f831b585b6624aaff8d77b431f57016c71947c900d000508d04ad64bc5ccebad376ac8da0aea5d699ed517fdeb451e6dee6ccde03614e4cdd6ae050f
-
Filesize
640KB
MD5488b8766a85a22fa7d68db17463eec51
SHA140674b9856c6dcf29f1a0b95818e018d816e8b50
SHA256d74b6c1fc8b1f44f4afca9fcbe99f9999b993a610c036b1c8b0cdb67ced095c2
SHA512ec3e28373b3018e32c3e520f2e9c4d6ef0ac9dbbace78e342d9d5ef397a66b008dbb84f57d8c9a9cfc9a9365fd383c1579d322be70c88258dfcd93b64d8ebd95