Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2024, 11:18
Behavioral task
behavioral1
Sample
8f0452d3c4f839326cf0f5ad24be5caf.exe
Resource
win7-20231215-en
General
-
Target
8f0452d3c4f839326cf0f5ad24be5caf.exe
-
Size
5.8MB
-
MD5
8f0452d3c4f839326cf0f5ad24be5caf
-
SHA1
8b2dbdd9469a5605326727f3c383e8f4c9e45e38
-
SHA256
7c95eea2f691db56ee2eb16647e82b946a1d6ea9d016e9d237e4c9a0f327e905
-
SHA512
5d319e31ff46191a3cfbef76d3254350390526e83cdca6d3bca94c10d97b268787f6576762f005b115c9e980ff0c9011db0ffa556de8e032367aa4d142866861
-
SSDEEP
98304:Md3XaPAKecQcjHau42c1joCjMPkNwk6alDAqD7z3uboHau42c1joCjMPkNwk6:MNK4KMcjauq1jI86FA7y2auq1jI86
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 3512 8f0452d3c4f839326cf0f5ad24be5caf.exe -
Executes dropped EXE 1 IoCs
pid Process 3512 8f0452d3c4f839326cf0f5ad24be5caf.exe -
resource yara_rule behavioral2/memory/1208-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x0008000000023218-11.dat upx behavioral2/memory/3512-13-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1208 8f0452d3c4f839326cf0f5ad24be5caf.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1208 8f0452d3c4f839326cf0f5ad24be5caf.exe 3512 8f0452d3c4f839326cf0f5ad24be5caf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1208 wrote to memory of 3512 1208 8f0452d3c4f839326cf0f5ad24be5caf.exe 85 PID 1208 wrote to memory of 3512 1208 8f0452d3c4f839326cf0f5ad24be5caf.exe 85 PID 1208 wrote to memory of 3512 1208 8f0452d3c4f839326cf0f5ad24be5caf.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f0452d3c4f839326cf0f5ad24be5caf.exe"C:\Users\Admin\AppData\Local\Temp\8f0452d3c4f839326cf0f5ad24be5caf.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\8f0452d3c4f839326cf0f5ad24be5caf.exeC:\Users\Admin\AppData\Local\Temp\8f0452d3c4f839326cf0f5ad24be5caf.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3512
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272KB
MD55d169acd86c1ace2b3958d81b945f835
SHA11a1587fc3f4f23be1a37fbcbc63703e06be012ad
SHA256a31bf2c1006a271d5304732e1c4221a79b7abce66d52158cf25b1753f728e47c
SHA5122eb20f754b7005b1a75657d685b10961e8fa8f501902f59697e234d39cc7708913c7a7b2d9c0fe2c2a208a76fcd6204fca3494cb262ecbd7f99f254b7f246b66