Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2024, 00:48
Behavioral task
behavioral1
Sample
8dcc02da6f74a931c78ba46ea86e7d08.exe
Resource
win7-20231215-en
General
-
Target
8dcc02da6f74a931c78ba46ea86e7d08.exe
-
Size
2.7MB
-
MD5
8dcc02da6f74a931c78ba46ea86e7d08
-
SHA1
e4edcc44e19a9b58b697df193cc41edcd2d93866
-
SHA256
3b5b0cf21f6be7712afd31c93c2f8e74b4121945358bc66fb3d84c752cde593b
-
SHA512
a35f344cc142cff6dcc833d1503bdd4255a98e03d8c7e0444ac0b43982b1560b9f95f5b8737eb09e5d2b08672577b748d9543ff2c7275b93559678aa6a52d67d
-
SSDEEP
49152:AeTRt4i9q2GL6BMuYfNPBys1hFrG6WtzLwilcDKJ9gSP1Ykf:lTz8pL6S3lZVnFrWVJuSP1Ykf
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 444 8dcc02da6f74a931c78ba46ea86e7d08.exe -
Executes dropped EXE 1 IoCs
pid Process 444 8dcc02da6f74a931c78ba46ea86e7d08.exe -
resource yara_rule behavioral2/memory/3920-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x0007000000023223-12.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3920 8dcc02da6f74a931c78ba46ea86e7d08.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3920 8dcc02da6f74a931c78ba46ea86e7d08.exe 444 8dcc02da6f74a931c78ba46ea86e7d08.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3920 wrote to memory of 444 3920 8dcc02da6f74a931c78ba46ea86e7d08.exe 85 PID 3920 wrote to memory of 444 3920 8dcc02da6f74a931c78ba46ea86e7d08.exe 85 PID 3920 wrote to memory of 444 3920 8dcc02da6f74a931c78ba46ea86e7d08.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dcc02da6f74a931c78ba46ea86e7d08.exe"C:\Users\Admin\AppData\Local\Temp\8dcc02da6f74a931c78ba46ea86e7d08.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\8dcc02da6f74a931c78ba46ea86e7d08.exeC:\Users\Admin\AppData\Local\Temp\8dcc02da6f74a931c78ba46ea86e7d08.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:444
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
123KB
MD5cdc386f40aa389a17615c14ea19882f6
SHA176c6b025bd1269d078f9efd653b5e6bf27fcbecc
SHA2567078320804f490c52a70a226a63c1af80194bebe69bdd5773817a9392bfec253
SHA51280cdb73168c9d58fbae8451a7f4f756cfbaf174931524151a1bff6c2da056b6c92468607851d20fe5c5bedea3472195d95637b059bc65c82781b4efe7132f5ec