Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 17:08
Behavioral task
behavioral1
Sample
8ce04c1b7657b765eb9bd1fa9a7a8372.exe
Resource
win7-20231129-en
General
-
Target
8ce04c1b7657b765eb9bd1fa9a7a8372.exe
-
Size
2.9MB
-
MD5
8ce04c1b7657b765eb9bd1fa9a7a8372
-
SHA1
2655e838d0ebc077950f3cf2c0283c4c192ea193
-
SHA256
6a4b9be261ece2991aab2c3513e9f80b5877baf30e4ff3f0c7fc871fc87bc61f
-
SHA512
4c444f0c6aae0145e886bb68d60ce771ffdd9d548b0afa40d83c1b9cfbdf3a80e2ec310c07b899aa15145d453d237299a7c4467fb2423f744fb7fb71e4b85a0d
-
SSDEEP
49152:iZmAJV51OgKN1jvfP9iLHxkX/AOlP4M338dB2IBlGuuDVUsdxxjeQZwxPYRKs:4mAnCgSjvfoL2vAOlgg3gnl/IVUs1jek
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 2696 8ce04c1b7657b765eb9bd1fa9a7a8372.exe -
Executes dropped EXE 1 IoCs
pid Process 2696 8ce04c1b7657b765eb9bd1fa9a7a8372.exe -
resource yara_rule behavioral2/memory/2200-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x0007000000023227-11.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2200 8ce04c1b7657b765eb9bd1fa9a7a8372.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2200 8ce04c1b7657b765eb9bd1fa9a7a8372.exe 2696 8ce04c1b7657b765eb9bd1fa9a7a8372.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2696 2200 8ce04c1b7657b765eb9bd1fa9a7a8372.exe 84 PID 2200 wrote to memory of 2696 2200 8ce04c1b7657b765eb9bd1fa9a7a8372.exe 84 PID 2200 wrote to memory of 2696 2200 8ce04c1b7657b765eb9bd1fa9a7a8372.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe"C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exeC:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2696
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5a349f110bc4c321582e863f3f808ec8e
SHA1c0603a3c7672a1b81d252064ed669ff689bfbd09
SHA256b06f479d36b8ab8d82742001b1eabeccd67dee472b48bcfbadc1d0dcd0db7b34
SHA51205eec7329d769aa8c265634c7b278416bebf98f8bdf21c4da6a66737059a459f97cfaafa0a9b71cda42826522d54038d00d13b19dc74439c1f5b61aedee9d110