Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 19:46
Behavioral task
behavioral1
Sample
8d308d3895fc99a562209b4f2c934bdb.exe
Resource
win7-20231215-en
General
-
Target
8d308d3895fc99a562209b4f2c934bdb.exe
-
Size
2.9MB
-
MD5
8d308d3895fc99a562209b4f2c934bdb
-
SHA1
5cd3937880b0f6b5e14db40426e42e13d18775a8
-
SHA256
aba8495d4cbe3246d63612ac684df11435024ebf6c7e9047a615673bce6a918a
-
SHA512
cca38743909c5c26ae213d0b77e889c42da0220b011eb63b8c166f94c44acad928e6af8e663c4fd933c1ef4dc96f05f1991c6108ef5bfade238f7a44719472fb
-
SSDEEP
49152:198meMin3EsR0QlXXPN74NH5HUyNRcUsCVOzetdZJ:Lo3dRZXP4HBUCczzM3
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 3688 8d308d3895fc99a562209b4f2c934bdb.exe -
Executes dropped EXE 1 IoCs
pid Process 3688 8d308d3895fc99a562209b4f2c934bdb.exe -
resource yara_rule behavioral2/memory/2336-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x00070000000231ed-11.dat upx behavioral2/memory/3688-13-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2336 8d308d3895fc99a562209b4f2c934bdb.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2336 8d308d3895fc99a562209b4f2c934bdb.exe 3688 8d308d3895fc99a562209b4f2c934bdb.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2336 wrote to memory of 3688 2336 8d308d3895fc99a562209b4f2c934bdb.exe 85 PID 2336 wrote to memory of 3688 2336 8d308d3895fc99a562209b4f2c934bdb.exe 85 PID 2336 wrote to memory of 3688 2336 8d308d3895fc99a562209b4f2c934bdb.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe"C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exeC:\Users\Admin\AppData\Local\Temp\8d308d3895fc99a562209b4f2c934bdb.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3688
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
940KB
MD59c8ae011b8bc4fb80ded642fa90f0717
SHA11bea2b1dc5404e0d3a903172e7e7d6a7087e11f3
SHA256464a6587fa5a350c92fd6c5b2d8369fc6eb8507395e286387dbaf2ed95d29c37
SHA51252db097accb5ce8668a0c8df449a412b40ab405e1a96d9d988e64b699131cba379861d186e4fac2c5243789844778779de483df4a429013175f82073ce4ae1c7