Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 21:58
Behavioral task
behavioral1
Sample
904305f4e0d8a52a03c641d8409f8de7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
904305f4e0d8a52a03c641d8409f8de7.exe
Resource
win10v2004-20231215-en
General
-
Target
904305f4e0d8a52a03c641d8409f8de7.exe
-
Size
2.7MB
-
MD5
904305f4e0d8a52a03c641d8409f8de7
-
SHA1
1dd463a4952cbfabb6cb505bbeebd8e0a8a975e5
-
SHA256
b55f740c977f269990661aad2113b013931bba4ce24ec40162b275d6c9d7ae87
-
SHA512
c8b0c2a726086823043035916f3434fc5f5b277bafbee417b30efd7fcbbb7f1117f07a7511bd7394173298266412ed778dd83f65c5fe193c88fa654e1361a494
-
SSDEEP
49152:qQZenrWKFJeA7rFMU7oD8oK2InmO1Q8ZHtL1Y5Bn:xZerWKPeMMoeHK2IZ1Q8tfY
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 3068 904305f4e0d8a52a03c641d8409f8de7.exe -
Executes dropped EXE 1 IoCs
pid Process 3068 904305f4e0d8a52a03c641d8409f8de7.exe -
Loads dropped DLL 1 IoCs
pid Process 2212 904305f4e0d8a52a03c641d8409f8de7.exe -
resource yara_rule behavioral1/memory/2212-0-0x0000000000400000-0x000000000086A000-memory.dmp upx behavioral1/files/0x000a000000012238-15.dat upx behavioral1/memory/2212-16-0x00000000038F0000-0x0000000003D5A000-memory.dmp upx behavioral1/files/0x000a000000012238-11.dat upx behavioral1/memory/3068-18-0x0000000000400000-0x000000000086A000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2212 904305f4e0d8a52a03c641d8409f8de7.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2212 904305f4e0d8a52a03c641d8409f8de7.exe 3068 904305f4e0d8a52a03c641d8409f8de7.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2212 wrote to memory of 3068 2212 904305f4e0d8a52a03c641d8409f8de7.exe 28 PID 2212 wrote to memory of 3068 2212 904305f4e0d8a52a03c641d8409f8de7.exe 28 PID 2212 wrote to memory of 3068 2212 904305f4e0d8a52a03c641d8409f8de7.exe 28 PID 2212 wrote to memory of 3068 2212 904305f4e0d8a52a03c641d8409f8de7.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\904305f4e0d8a52a03c641d8409f8de7.exe"C:\Users\Admin\AppData\Local\Temp\904305f4e0d8a52a03c641d8409f8de7.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\904305f4e0d8a52a03c641d8409f8de7.exeC:\Users\Admin\AppData\Local\Temp\904305f4e0d8a52a03c641d8409f8de7.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3068
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5b5ab6dc9a7f0f713e930fbfdd6bad3ab
SHA107bc16e211de5b23ee7ff9bf889a801cb659d752
SHA2569fcad4ecb7492f80de826449c4124af7f38e146201b48acddc9d0e993f8b1aba
SHA5121335d36ed6dff8d9b7315a555252264d82ef3e340028de2bf53dce23e6e6f4b6891e0a03c2c70d5bf28f6b64422e7e86c713a7a43076867ae627e93961b2e717
-
Filesize
2.7MB
MD5ebe70e59c5f6fdec294a1830a26c8475
SHA13510237464c29e1d04b6fa1d8da24edd98a11df6
SHA256e825bbd6e1ab0778cc9f85e1560ade76725c6d6045e02a481b85fcc6879ac3ed
SHA5126184923ad558ced7fc68c117de1c15bdc8283b82f4c49ac45e6c78f417ce8917117e3cff621963b697dd315417db75212b468dfacd925620009ec4ba357dd2b2