Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 11:18
Behavioral task
behavioral1
Sample
8f0452d3c4f839326cf0f5ad24be5caf.exe
Resource
win7-20231215-en
General
-
Target
8f0452d3c4f839326cf0f5ad24be5caf.exe
-
Size
5.8MB
-
MD5
8f0452d3c4f839326cf0f5ad24be5caf
-
SHA1
8b2dbdd9469a5605326727f3c383e8f4c9e45e38
-
SHA256
7c95eea2f691db56ee2eb16647e82b946a1d6ea9d016e9d237e4c9a0f327e905
-
SHA512
5d319e31ff46191a3cfbef76d3254350390526e83cdca6d3bca94c10d97b268787f6576762f005b115c9e980ff0c9011db0ffa556de8e032367aa4d142866861
-
SSDEEP
98304:Md3XaPAKecQcjHau42c1joCjMPkNwk6alDAqD7z3uboHau42c1joCjMPkNwk6:MNK4KMcjauq1jI86FA7y2auq1jI86
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3016 8f0452d3c4f839326cf0f5ad24be5caf.exe -
Executes dropped EXE 1 IoCs
pid Process 3016 8f0452d3c4f839326cf0f5ad24be5caf.exe -
Loads dropped DLL 1 IoCs
pid Process 2120 8f0452d3c4f839326cf0f5ad24be5caf.exe -
resource yara_rule behavioral1/memory/2120-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000a00000001225a-10.dat upx behavioral1/files/0x000a00000001225a-14.dat upx behavioral1/memory/3016-16-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2120 8f0452d3c4f839326cf0f5ad24be5caf.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2120 8f0452d3c4f839326cf0f5ad24be5caf.exe 3016 8f0452d3c4f839326cf0f5ad24be5caf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2120 wrote to memory of 3016 2120 8f0452d3c4f839326cf0f5ad24be5caf.exe 28 PID 2120 wrote to memory of 3016 2120 8f0452d3c4f839326cf0f5ad24be5caf.exe 28 PID 2120 wrote to memory of 3016 2120 8f0452d3c4f839326cf0f5ad24be5caf.exe 28 PID 2120 wrote to memory of 3016 2120 8f0452d3c4f839326cf0f5ad24be5caf.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f0452d3c4f839326cf0f5ad24be5caf.exe"C:\Users\Admin\AppData\Local\Temp\8f0452d3c4f839326cf0f5ad24be5caf.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\8f0452d3c4f839326cf0f5ad24be5caf.exeC:\Users\Admin\AppData\Local\Temp\8f0452d3c4f839326cf0f5ad24be5caf.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3016
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
194KB
MD5581806cb0cad5fc1ea6a9f8a5b596e87
SHA12c40fc3d15ef297fb6cf120379f4f32af6c0dc96
SHA256ed92d17be4dfb61a61d260eb074d205ab1af2c9e8eb365c10f111e8c118debee
SHA512c15ca85c749a9ae6a8f61b8da0f370b20728013dddd1d52cb004b99ef6727662a86d7a5552fc8f04c03c25b18695da6b6bb7df16bc14b1d524484d89b666d636
-
Filesize
314KB
MD5b327b03056de151c7c74418a20c89588
SHA1fbabc2cbad05da4a0e511ca1d071b467d4c46eb0
SHA256a2410bf1468c53dcb9dbfb7ea169141d6be195f839ed1501a8561a2ee3af2d4f
SHA5128bb4023fbc74d0e4eb9760ff4681b19bbb8567a4d21bd9bb418a8a95a1d1ec00884ee72a01df468f790e8d4e34a13c97b99af836e20a5d980772ac275e9980df