Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 09:33
Behavioral task
behavioral1
Sample
8bfe194672fdba1eade987f40014f232.exe
Resource
win7-20231215-en
General
-
Target
8bfe194672fdba1eade987f40014f232.exe
-
Size
2.9MB
-
MD5
8bfe194672fdba1eade987f40014f232
-
SHA1
20dda5bf45aa10746c163c74b840d56c99db7389
-
SHA256
a4c6df043f502f85bee9a0b17bddb21980305bb3db8a5cf9944315b85fcf4b77
-
SHA512
3bf5c6917aea37929ae0bca071dd1121362d4452fd5946721b02f2dc711e82e8a95bee09b353b733a6a453ae892cc4fb909b7fdf2d677f875190f553d1a0c739
-
SSDEEP
49152:lKvFwEK8rN9lP3cI588iiNu0Bm6B5VBON74NH5HUyNRcUsCVOzetdZJ:lK6EKW9ln4i/5O4HBUCczzM3
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2792 8bfe194672fdba1eade987f40014f232.exe -
Executes dropped EXE 1 IoCs
pid Process 2792 8bfe194672fdba1eade987f40014f232.exe -
Loads dropped DLL 1 IoCs
pid Process 2444 8bfe194672fdba1eade987f40014f232.exe -
resource yara_rule behavioral1/memory/2444-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000b000000012238-10.dat upx behavioral1/memory/2444-15-0x00000000038D0000-0x0000000003DBF000-memory.dmp upx behavioral1/memory/2792-16-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2444 8bfe194672fdba1eade987f40014f232.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2444 8bfe194672fdba1eade987f40014f232.exe 2792 8bfe194672fdba1eade987f40014f232.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2792 2444 8bfe194672fdba1eade987f40014f232.exe 28 PID 2444 wrote to memory of 2792 2444 8bfe194672fdba1eade987f40014f232.exe 28 PID 2444 wrote to memory of 2792 2444 8bfe194672fdba1eade987f40014f232.exe 28 PID 2444 wrote to memory of 2792 2444 8bfe194672fdba1eade987f40014f232.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bfe194672fdba1eade987f40014f232.exe"C:\Users\Admin\AppData\Local\Temp\8bfe194672fdba1eade987f40014f232.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\8bfe194672fdba1eade987f40014f232.exeC:\Users\Admin\AppData\Local\Temp\8bfe194672fdba1eade987f40014f232.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2792
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD50226b4fc0a8277c0d9bce1e14e6975ce
SHA176985f8aa79b8408f959132b771b019117be8d1b
SHA256a99f6886a5cc5def5d3eb348ba24ccaddda4f9f8514da8a2702e605f4cd61e6a
SHA5126b6981f462661083bf914ff451e9f0f989fc2f978836dc41a59b5296d2f75c83a44eee372f73d5680917d21b364459ec08ff907040836144a522f7da3d64ac7b