Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 09:33
Behavioral task
behavioral1
Sample
8bfe194672fdba1eade987f40014f232.exe
Resource
win7-20231215-en
General
-
Target
8bfe194672fdba1eade987f40014f232.exe
-
Size
2.9MB
-
MD5
8bfe194672fdba1eade987f40014f232
-
SHA1
20dda5bf45aa10746c163c74b840d56c99db7389
-
SHA256
a4c6df043f502f85bee9a0b17bddb21980305bb3db8a5cf9944315b85fcf4b77
-
SHA512
3bf5c6917aea37929ae0bca071dd1121362d4452fd5946721b02f2dc711e82e8a95bee09b353b733a6a453ae892cc4fb909b7fdf2d677f875190f553d1a0c739
-
SSDEEP
49152:lKvFwEK8rN9lP3cI588iiNu0Bm6B5VBON74NH5HUyNRcUsCVOzetdZJ:lK6EKW9ln4i/5O4HBUCczzM3
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 1964 8bfe194672fdba1eade987f40014f232.exe -
Executes dropped EXE 1 IoCs
pid Process 1964 8bfe194672fdba1eade987f40014f232.exe -
resource yara_rule behavioral2/memory/3208-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x00080000000231fd-11.dat upx behavioral2/memory/1964-14-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3208 8bfe194672fdba1eade987f40014f232.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3208 8bfe194672fdba1eade987f40014f232.exe 1964 8bfe194672fdba1eade987f40014f232.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3208 wrote to memory of 1964 3208 8bfe194672fdba1eade987f40014f232.exe 85 PID 3208 wrote to memory of 1964 3208 8bfe194672fdba1eade987f40014f232.exe 85 PID 3208 wrote to memory of 1964 3208 8bfe194672fdba1eade987f40014f232.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bfe194672fdba1eade987f40014f232.exe"C:\Users\Admin\AppData\Local\Temp\8bfe194672fdba1eade987f40014f232.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\8bfe194672fdba1eade987f40014f232.exeC:\Users\Admin\AppData\Local\Temp\8bfe194672fdba1eade987f40014f232.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1964
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
722KB
MD5425f208d0709e9024095697a00c10e6d
SHA15881b776108cf9a5ef1f50f442aed8d88a8866e8
SHA256fd67a5c8079f36a7fa6f75daf2d828418f24af54f2e8052f59eee0e5e0f80aae
SHA512bb4578f4b618e7e32ec842621aee942ed56c15daa855b6321d6e772e807f264d3464c05dd7a8f83425d658257f1b8db080846e0552d88ac4d92dae3b7212dcf3