Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 19:22
Behavioral task
behavioral1
Sample
8d245426988d44f119dcbcc06786b1cf.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8d245426988d44f119dcbcc06786b1cf.exe
Resource
win10v2004-20231215-en
General
-
Target
8d245426988d44f119dcbcc06786b1cf.exe
-
Size
2.4MB
-
MD5
8d245426988d44f119dcbcc06786b1cf
-
SHA1
af1f84314abd4f51b2772d52d9722dcd378dbbcf
-
SHA256
a0534fdb6d88c10a42c37a0ea421fd97aa1afa9a364458baebc4380a35c10fa0
-
SHA512
a7ad19785ad7288f3a0f02110d4773a2cc718faf0e753e9d246a6a5215a95e5c3a919d9c718d31a8ba37a985677cc99f835f6ff921d26a89e22d4ab2eeaaa92d
-
SSDEEP
49152:nsYtTFW0GgJ5xsPXuoOYJitT/P4M338dB2IBlGuuDVUsdxxjr:CgWSY4tDgg3gnl/IVUs1jr
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 2860 8d245426988d44f119dcbcc06786b1cf.exe -
Executes dropped EXE 1 IoCs
pid Process 2860 8d245426988d44f119dcbcc06786b1cf.exe -
Loads dropped DLL 1 IoCs
pid Process 2216 8d245426988d44f119dcbcc06786b1cf.exe -
resource yara_rule behavioral1/memory/2216-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000a00000001650c-10.dat upx behavioral1/files/0x000a00000001650c-15.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2216 8d245426988d44f119dcbcc06786b1cf.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2216 8d245426988d44f119dcbcc06786b1cf.exe 2860 8d245426988d44f119dcbcc06786b1cf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2860 2216 8d245426988d44f119dcbcc06786b1cf.exe 28 PID 2216 wrote to memory of 2860 2216 8d245426988d44f119dcbcc06786b1cf.exe 28 PID 2216 wrote to memory of 2860 2216 8d245426988d44f119dcbcc06786b1cf.exe 28 PID 2216 wrote to memory of 2860 2216 8d245426988d44f119dcbcc06786b1cf.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe"C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exeC:\Users\Admin\AppData\Local\Temp\8d245426988d44f119dcbcc06786b1cf.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2860
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
437KB
MD532dabf83837268d992e3a6d98b006676
SHA13b96c8e83834790b01e80bd4bad8afbae6244bb7
SHA256cb23b6e8ccfffcbb2aa96a57f4a55d3c24077b298c30ce00337428500a53b24f
SHA51248a1d548f443132e0f0b014633cd7a3824b4a6c075606a925b9851e6d5b2f82a79633e9ef976e2029992b8d72dd6bfcf3d53afb91300bd4468e80ea91fda14cb
-
Filesize
745KB
MD59a06ec0c482ade3ac3cef5b9a8a0e98b
SHA11dca69a45c1fe4622b07973c55ace4da52d33bd7
SHA256461b803fffbd3b226fe911337a51912d0f25b5346cc8212e803cad8a828f7472
SHA5120f33fded237411591300ad2427b5282d721b6d4b551cd012c3a2ce0cee31858a12b26b623b8aa8d2c6f59f28e7e549a515ad649ba2fea1c8d9ace6edcc5b7fb7