Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 09:24
Static task
static1
Behavioral task
behavioral1
Sample
8eca46b796c3f4b07c5cf4282b1b076a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8eca46b796c3f4b07c5cf4282b1b076a.exe
Resource
win10v2004-20231215-en
General
-
Target
8eca46b796c3f4b07c5cf4282b1b076a.exe
-
Size
2.5MB
-
MD5
8eca46b796c3f4b07c5cf4282b1b076a
-
SHA1
a64b462bccfb1a726cad6ffd0d7237984d0b6a3f
-
SHA256
53015ec4339dca036dcd4be39565c626d49e1ca9fd6242642050afb281f7df45
-
SHA512
6639bddaa382d8e484a12c06e659e0156e3758aca015b265e5372e259cadf80baf6f87f059527ffdc2528e7e3bb5a2561d7dc9b4eb415eb1ccbd41406edf9742
-
SSDEEP
49152:52YT/j0AG7BmgYBf/ZkYDXAOcL/szp/mPrDpPYQ1qX2w5aV:sgj0JVm/peYDXAOc4duDDpI8
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2988 StpFC68_TMP.EXE 2520 StpFC68_TMP.tmp -
Loads dropped DLL 6 IoCs
pid Process 2932 8eca46b796c3f4b07c5cf4282b1b076a.exe 2988 StpFC68_TMP.EXE 2988 StpFC68_TMP.EXE 2988 StpFC68_TMP.EXE 2520 StpFC68_TMP.tmp 2520 StpFC68_TMP.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2520 StpFC68_TMP.tmp -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2932 wrote to memory of 2988 2932 8eca46b796c3f4b07c5cf4282b1b076a.exe 28 PID 2932 wrote to memory of 2988 2932 8eca46b796c3f4b07c5cf4282b1b076a.exe 28 PID 2932 wrote to memory of 2988 2932 8eca46b796c3f4b07c5cf4282b1b076a.exe 28 PID 2932 wrote to memory of 2988 2932 8eca46b796c3f4b07c5cf4282b1b076a.exe 28 PID 2932 wrote to memory of 2988 2932 8eca46b796c3f4b07c5cf4282b1b076a.exe 28 PID 2932 wrote to memory of 2988 2932 8eca46b796c3f4b07c5cf4282b1b076a.exe 28 PID 2932 wrote to memory of 2988 2932 8eca46b796c3f4b07c5cf4282b1b076a.exe 28 PID 2988 wrote to memory of 2520 2988 StpFC68_TMP.EXE 29 PID 2988 wrote to memory of 2520 2988 StpFC68_TMP.EXE 29 PID 2988 wrote to memory of 2520 2988 StpFC68_TMP.EXE 29 PID 2988 wrote to memory of 2520 2988 StpFC68_TMP.EXE 29 PID 2988 wrote to memory of 2520 2988 StpFC68_TMP.EXE 29 PID 2988 wrote to memory of 2520 2988 StpFC68_TMP.EXE 29 PID 2988 wrote to memory of 2520 2988 StpFC68_TMP.EXE 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8eca46b796c3f4b07c5cf4282b1b076a.exe"C:\Users\Admin\AppData\Local\Temp\8eca46b796c3f4b07c5cf4282b1b076a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\StpFC68_TMP.EXE"C:\Users\Admin\AppData\Local\Temp\StpFC68_TMP.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\is-KUSMU.tmp\StpFC68_TMP.tmp"C:\Users\Admin\AppData\Local\Temp\is-KUSMU.tmp\StpFC68_TMP.tmp" /SL5="$40016,2257206,53248,C:\Users\Admin\AppData\Local\Temp\StpFC68_TMP.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2520
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
967KB
MD5aa2918cbc35496df71eb22882317a733
SHA1744760a8d8f10943d97c74eb2fb53b1da1b10609
SHA256bcbc9f93df723f3a31c04583968b9da3dfe6c9ca1cf7ce60702717d26158825d
SHA5126bcb291ebfde4eff2545830c698616612147778f1fe9272b860c28a48d44b851e79f5a78db069c2b5bc5b7cbeae5f36397693b1d9d79dadc78d04ee00c072766
-
Filesize
1.9MB
MD566177e076d08c84fc77ed9b01e75def3
SHA155263cff46eebe4fa59bf08bca32b544e58b81bc
SHA256a7736a7c1f09a620dc6dd310c2b1ce962a1323f5208392a2710962de235714b7
SHA5126e4d52a0bd43106ba8f11abf7f22cc54a924d6b7a9b8f15ae2a548d793121804a40cf5cf56d93d9a0af830febb84e44bb9be0e0f73457fed3029f53145789de0
-
Filesize
669KB
MD552950ac9e2b481453082f096120e355a
SHA1159c09db1abcee9114b4f792ffba255c78a6e6c3
SHA25625fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd
SHA5125b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba
-
Filesize
1.9MB
MD555109f61b3cc7cecec12b99b2114e8f1
SHA1389b08808b71f4049104e6729b0d0eefc0bf37d3
SHA256768c512af35c03885642f8449748882c1e6162b2b30811249069bb2e60ddf703
SHA512a95b47dffcfcb58b6bd02e49a13fb4c3650db6f4bb3545fcbdd35088dd9c70b8c82dd07b110a71f13672471b8dcf86eb29893c000324bceb65a55195f7550c8d
-
Filesize
1.2MB
MD5e59178302ce662caaeb946b0c3cd2f62
SHA1e936172b86fc7d281ea5ce43006fc3ec3f24d32a
SHA2566fa6cc67a7b7c646af2d2600656b1898f1e263e0fc521c196b2564913f6a7f63
SHA51233804d2b0164da952ee46a157e271b04ed4c69c4b86504666b2beae09ea73ea2aacd583a7cf5499b1f1ba68a1f1a60f41cd6fc5f6e50288b67da5d1e273fdfe6
-
Filesize
755KB
MD5307da84d6146c8dca5004a85aa4f798f
SHA1bb9a8ce6be7e3a9832f4de0b9fc0f36ae7cc2ba2
SHA256cb3b5b811842e4cc70d674b8d85289b726be09ccebba35c159e82e0bc4ff7fe3
SHA5125ce203d5ac8a4b778b4c68ea9d8d427b6cf81b5cc70a489c5e3fa17a852f2856b81f8fb1ab829fc490de0ac1f7580c92f99039d6c6257300dc221c8d77600deb
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3