Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 10:25
Behavioral task
behavioral1
Sample
8c18208998ce44c0b1bc34ca41af7e2a.exe
Resource
win7-20231215-en
General
-
Target
8c18208998ce44c0b1bc34ca41af7e2a.exe
-
Size
5.8MB
-
MD5
8c18208998ce44c0b1bc34ca41af7e2a
-
SHA1
36bf8fb200a7a5d2e3f68a1e38ee3370357d670d
-
SHA256
9204d231692037fe3cf3ce5694569cad170d46514b8102b36ed5657cb8c0cc4b
-
SHA512
c9e843950e92ccb71f385e7c93048d610a8bba3390635d01775f8d362ee7244f9d4164894221c02b4a32af29145a2cb7fe372e005bbd5c6fcccf98f02cd771fc
-
SSDEEP
98304:pKvkW/bRTKTuwVgg3gnl/IVUs1jePsgzOSgz9Mj4jhSHaHgg3gnl/IVUs1jePs:AsW/bRTmuwjgl/iBiPK5rjgalgl/iBiP
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 4284 8c18208998ce44c0b1bc34ca41af7e2a.exe -
Executes dropped EXE 1 IoCs
pid Process 4284 8c18208998ce44c0b1bc34ca41af7e2a.exe -
resource yara_rule behavioral2/memory/4080-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x0007000000023124-11.dat upx behavioral2/memory/4284-13-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4080 8c18208998ce44c0b1bc34ca41af7e2a.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4080 8c18208998ce44c0b1bc34ca41af7e2a.exe 4284 8c18208998ce44c0b1bc34ca41af7e2a.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4080 wrote to memory of 4284 4080 8c18208998ce44c0b1bc34ca41af7e2a.exe 84 PID 4080 wrote to memory of 4284 4080 8c18208998ce44c0b1bc34ca41af7e2a.exe 84 PID 4080 wrote to memory of 4284 4080 8c18208998ce44c0b1bc34ca41af7e2a.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c18208998ce44c0b1bc34ca41af7e2a.exe"C:\Users\Admin\AppData\Local\Temp\8c18208998ce44c0b1bc34ca41af7e2a.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Users\Admin\AppData\Local\Temp\8c18208998ce44c0b1bc34ca41af7e2a.exeC:\Users\Admin\AppData\Local\Temp\8c18208998ce44c0b1bc34ca41af7e2a.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4284
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.7MB
MD5932ace4f7fbd64ffbbaed5e7313688c5
SHA16f85f17235c993a3b8412c14a7cfb27c3194b498
SHA256717da2e2e87976e6ab2b93019d1bd289b2de1b375c14cb3e7d1edbe522c4ed89
SHA512a7a2b082eb70ba92cabcc0cf8465dcce11cb7a9bce117ee8d09e6270c56bf966ca1fd8b48f4a597d16e7dfbcb96e3522c4fbdebc523287ca3360cd85a67ad92c