Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 17:08
Behavioral task
behavioral1
Sample
8ce04c1b7657b765eb9bd1fa9a7a8372.exe
Resource
win7-20231129-en
General
-
Target
8ce04c1b7657b765eb9bd1fa9a7a8372.exe
-
Size
2.9MB
-
MD5
8ce04c1b7657b765eb9bd1fa9a7a8372
-
SHA1
2655e838d0ebc077950f3cf2c0283c4c192ea193
-
SHA256
6a4b9be261ece2991aab2c3513e9f80b5877baf30e4ff3f0c7fc871fc87bc61f
-
SHA512
4c444f0c6aae0145e886bb68d60ce771ffdd9d548b0afa40d83c1b9cfbdf3a80e2ec310c07b899aa15145d453d237299a7c4467fb2423f744fb7fb71e4b85a0d
-
SSDEEP
49152:iZmAJV51OgKN1jvfP9iLHxkX/AOlP4M338dB2IBlGuuDVUsdxxjeQZwxPYRKs:4mAnCgSjvfoL2vAOlgg3gnl/IVUs1jek
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2352 8ce04c1b7657b765eb9bd1fa9a7a8372.exe -
Executes dropped EXE 1 IoCs
pid Process 2352 8ce04c1b7657b765eb9bd1fa9a7a8372.exe -
Loads dropped DLL 1 IoCs
pid Process 2220 8ce04c1b7657b765eb9bd1fa9a7a8372.exe -
resource yara_rule behavioral1/memory/2220-1-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000b000000015cfa-10.dat upx behavioral1/files/0x000b000000015cfa-13.dat upx behavioral1/files/0x000b000000015cfa-12.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2220 8ce04c1b7657b765eb9bd1fa9a7a8372.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2220 8ce04c1b7657b765eb9bd1fa9a7a8372.exe 2352 8ce04c1b7657b765eb9bd1fa9a7a8372.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2352 2220 8ce04c1b7657b765eb9bd1fa9a7a8372.exe 28 PID 2220 wrote to memory of 2352 2220 8ce04c1b7657b765eb9bd1fa9a7a8372.exe 28 PID 2220 wrote to memory of 2352 2220 8ce04c1b7657b765eb9bd1fa9a7a8372.exe 28 PID 2220 wrote to memory of 2352 2220 8ce04c1b7657b765eb9bd1fa9a7a8372.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe"C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exeC:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2352
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163KB
MD5ef6bc13be4e564614bdc9d6c48f2cf9e
SHA11ca4802d38ff94a25c3e34096b7fdd817fdcec98
SHA256d468c37fbb578abd65b10147ac795049deccceb6c90d699a1a70b4be6dd0bfeb
SHA5123f2d8524ac7999098e52656664022d8c419d5e6f9787564506d5de8a4efde47c49d3f96e44f619bbd3d4fff847d1c5220bd57e7bee64686ffc812aa82ab1a33d
-
Filesize
134KB
MD5a322d39d10430f877741a6667ee5a63d
SHA1999ba09295b3922ab81e12f8bc51e334a574bba1
SHA256c3ee8e04aebafe60f6b2e0722fb29bda09db62109c1548655198641f04b141e2
SHA512bf24fe9da8d58b5dcaed292569e091347a213861d38e4b72c32027a60456b9ee21869103ea23c13bf6e9e1d66661a4824e9f5ec9a0df0b3fd1f7f7851d6fab7a
-
Filesize
203KB
MD556c7a81c9f8ce2ec4ba125125c6cec0f
SHA1f52fd4854e91d1d99551e040a1fb662750fca58b
SHA256c436350e4a9fa32fc9a712ad151ebdd965d7582ed77d9affdde7adfeace5b4be
SHA512e47bf1acb952e6ece52d6d8bc1f4bd39ff9cdf5fb9d4ec9ffdd984180c9ce1f6b42a63341017a55320cada1b4d4239d903693eb4567a535571a928c9cdea0281