Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 08:42
Behavioral task
behavioral1
Sample
8be5333aaed8bd221340e52353b14f81.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8be5333aaed8bd221340e52353b14f81.exe
Resource
win10v2004-20231222-en
General
-
Target
8be5333aaed8bd221340e52353b14f81.exe
-
Size
5.3MB
-
MD5
8be5333aaed8bd221340e52353b14f81
-
SHA1
88c69cf62a627358792362b8018bf393340dc4f2
-
SHA256
a1fb32e47eba66a54e46b5346e2a8fb21799251e4e5696ef743e9785703db746
-
SHA512
3c0e18de42a57fb4171707e8746278a07cb868d1a0d27b6a261945b291d93aeb4214d2e3a97181c838ffb201a16abd93d72dfc5f5bac158d17b1cb8b918f2ba6
-
SSDEEP
98304:4er21VQsHy0rR4iFoFWJ5TPdvHy0rR4ip:4QstqSoFW7Tldq8
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 2988 8be5333aaed8bd221340e52353b14f81.exe -
Executes dropped EXE 1 IoCs
pid Process 2988 8be5333aaed8bd221340e52353b14f81.exe -
Loads dropped DLL 1 IoCs
pid Process 2644 8be5333aaed8bd221340e52353b14f81.exe -
resource yara_rule behavioral1/memory/2644-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000c000000012243-10.dat upx behavioral1/files/0x000c000000012243-12.dat upx behavioral1/files/0x000c000000012243-13.dat upx behavioral1/memory/2988-17-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2644 8be5333aaed8bd221340e52353b14f81.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2644 8be5333aaed8bd221340e52353b14f81.exe 2988 8be5333aaed8bd221340e52353b14f81.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2988 2644 8be5333aaed8bd221340e52353b14f81.exe 28 PID 2644 wrote to memory of 2988 2644 8be5333aaed8bd221340e52353b14f81.exe 28 PID 2644 wrote to memory of 2988 2644 8be5333aaed8bd221340e52353b14f81.exe 28 PID 2644 wrote to memory of 2988 2644 8be5333aaed8bd221340e52353b14f81.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8be5333aaed8bd221340e52353b14f81.exe"C:\Users\Admin\AppData\Local\Temp\8be5333aaed8bd221340e52353b14f81.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\8be5333aaed8bd221340e52353b14f81.exeC:\Users\Admin\AppData\Local\Temp\8be5333aaed8bd221340e52353b14f81.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2988
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD54731d6c002db3530393a74f741107fe1
SHA1e481f1733b357819b4d9490c30c0d39613b284d9
SHA256648dac3a5247056ff3a4a60dca5bbc6efd163594a289640b34d3a14c71971760
SHA512a7ad2add266d9008c64cc93eb621d01c6ce8282b46fb05d723e72aae7ed422857125c1ce2950a0599ad1d3c282f3c353107132087387b42fbda09b4fe9729985
-
Filesize
1.1MB
MD517f9e9eb799daf150e07d5d095fdac38
SHA119b3aafaa30bc3a99ac4f31cd2b11a0dcbfd9020
SHA25658bdcc7d8ed09374f0d995709364ddba0c9fb2ef9e74bc97cd88658c1ac38352
SHA5123496a7e2ca02febe0be91644eabd7fac64ac2ae4ec28c1f012fe204ed2e87a4dec437b1dd302d189efd6491c626dcf697ce9e03f5577b75404bd78d8a8be0651
-
Filesize
512KB
MD5088ab87fd49c548ccbc57d157dccb766
SHA1e88f69c8a63040a465ead590943d97df812a9891
SHA25656e369d4564210849aa5a393231981b0a87851ee559b70c73f033d8039889921
SHA512626b2d55f7e7c2b97b14ebd50fec5d4cb64022c842a97408757f76b82e5fe607e921c81fb26ff73281a04f3695e7a0d9ba2f124666be33de12b9ba3666ac3dfe