Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/02/2024, 15:36
Behavioral task
behavioral1
Sample
89e3c2f8356295b60460eff9511785df.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
89e3c2f8356295b60460eff9511785df.exe
Resource
win10v2004-20231215-en
General
-
Target
89e3c2f8356295b60460eff9511785df.exe
-
Size
5.3MB
-
MD5
89e3c2f8356295b60460eff9511785df
-
SHA1
bed20d36520eee011c5d182684867f780bce3fbe
-
SHA256
71610eaec0ee95d261d3442df7c6ef81b37f8b53227066b9367954ff3970f9ef
-
SHA512
992c0788d0bd97ad4d8364c403f1f6eef4adffca5555781a237005983bd6fd85a7c6b6a607f2341562d9b92b6ba16194fe1ffedf521ed40f92d23b8ca5eb78f6
-
SSDEEP
98304:b9H0pN4r8ViVXHQPQNcSaHy7To1XoBtfHBHQPQNcSaHj:ZH0pm8Vg7Nta/1itfHB7NtaD
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1672 89e3c2f8356295b60460eff9511785df.exe -
Executes dropped EXE 1 IoCs
pid Process 1672 89e3c2f8356295b60460eff9511785df.exe -
Loads dropped DLL 1 IoCs
pid Process 2052 89e3c2f8356295b60460eff9511785df.exe -
resource yara_rule behavioral1/memory/2052-0-0x0000000000400000-0x00000000008E7000-memory.dmp upx behavioral1/files/0x000a00000001224a-10.dat upx behavioral1/files/0x000a00000001224a-15.dat upx behavioral1/memory/1672-16-0x0000000000400000-0x00000000008E7000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2052 89e3c2f8356295b60460eff9511785df.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2052 89e3c2f8356295b60460eff9511785df.exe 1672 89e3c2f8356295b60460eff9511785df.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2052 wrote to memory of 1672 2052 89e3c2f8356295b60460eff9511785df.exe 28 PID 2052 wrote to memory of 1672 2052 89e3c2f8356295b60460eff9511785df.exe 28 PID 2052 wrote to memory of 1672 2052 89e3c2f8356295b60460eff9511785df.exe 28 PID 2052 wrote to memory of 1672 2052 89e3c2f8356295b60460eff9511785df.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\89e3c2f8356295b60460eff9511785df.exe"C:\Users\Admin\AppData\Local\Temp\89e3c2f8356295b60460eff9511785df.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\89e3c2f8356295b60460eff9511785df.exeC:\Users\Admin\AppData\Local\Temp\89e3c2f8356295b60460eff9511785df.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1672
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD53db99796adbc1e421650983d09585bdd
SHA11358ea824700e597cb481731a00380ff128156f7
SHA256fc67280e9359c0b237ec8ba82db67f215dd6b04cfcb7fe48bf18fe33e47dfb55
SHA5127228001068da3fbf7b8baaa62b1d58dd9f98cc1beca2b4ddbc8400965406fe5e779bfe267fd42e86d63cabbb0f53db5c5601a84c9725012743bfd5d7cd80d7a0
-
Filesize
1.6MB
MD53d3124fec644b4babc51779eb364ce8f
SHA1f3cfecb8d7851048a9af1cf0752c4841c3fdb0d3
SHA256cfb1802ecc1f152a4f9c1e99620cd473a697bcdf7620ca67d03b126c9167a9a5
SHA512b32eb7489a3512f48bc194814571465bd4107e7974bf0831b4dbea2eeca447be36364500c1a44aa702f3243846853b92bf75862197177dd094a5c92b3548592c