Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 12:35 UTC
Static task
static1
Behavioral task
behavioral1
Sample
8f2a75310286d05ce5aee4f7a3c1b40c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8f2a75310286d05ce5aee4f7a3c1b40c.exe
Resource
win10v2004-20231215-en
General
-
Target
8f2a75310286d05ce5aee4f7a3c1b40c.exe
-
Size
94KB
-
MD5
8f2a75310286d05ce5aee4f7a3c1b40c
-
SHA1
2caf5dd981b76badb8f2e98ad37ff6130d1eba10
-
SHA256
635454dddf996a913567fb13134369eb926969eaa8bbad84530fbdff28f6afeb
-
SHA512
ea55cc76f86e5a6a777f40b717ac275168920344324bc639a91e1566f5fc2e83301b7e7e0b774f4d5780606dfb30f18f37b59d91f4ee1fdbd86f3ae631b258f0
-
SSDEEP
1536:ffg+M2Y9oH+cpTKeyaI0Z/od8bDbRvU5yYeVYXrgITAGXBB3exYEjpepikFIy:ffgyY9oH+cTKGI0Z/oooeVYXrgI0GXW4
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2844 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2844 3032 8f2a75310286d05ce5aee4f7a3c1b40c.exe 28 PID 3032 wrote to memory of 2844 3032 8f2a75310286d05ce5aee4f7a3c1b40c.exe 28 PID 3032 wrote to memory of 2844 3032 8f2a75310286d05ce5aee4f7a3c1b40c.exe 28 PID 3032 wrote to memory of 2844 3032 8f2a75310286d05ce5aee4f7a3c1b40c.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f2a75310286d05ce5aee4f7a3c1b40c.exe"C:\Users\Admin\AppData\Local\Temp\8f2a75310286d05ce5aee4f7a3c1b40c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Ecp..bat" > nul 2> nul2⤵
- Deletes itself
PID:2844
-
Network
-
Remote address:8.8.8.8:53Requestnba.comIN AResponsenba.comIN A54.68.182.72nba.comIN A34.213.106.51
-
Remote address:8.8.8.8:53Requestig.com.brIN AResponseig.com.brIN A54.198.170.253
-
Remote address:8.8.8.8:53Requestwikimediafoundation.orgIN AResponsewikimediafoundation.orgIN A192.0.66.2
-
Remote address:8.8.8.8:53Requestcogistug.inIN AResponse
-
Remote address:8.8.8.8:53Requestflashutilites.inIN AResponse
-
Remote address:8.8.8.8:53Requestfilesarchivesite.inIN AResponse
-
53 B 85 B 1 1
DNS Request
nba.com
DNS Response
54.68.182.7234.213.106.51
-
55 B 71 B 1 1
DNS Request
ig.com.br
DNS Response
54.198.170.253
-
69 B 85 B 1 1
DNS Request
wikimediafoundation.org
DNS Response
192.0.66.2
-
57 B 110 B 1 1
DNS Request
cogistug.in
-
62 B 115 B 1 1
DNS Request
flashutilites.in
-
65 B 118 B 1 1
DNS Request
filesarchivesite.in
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD5f9e8a757138e167ae5de853b7e4a19a7
SHA1b34457a2047755e12f8db9e2bff048b145c260c5
SHA25629a4f0aa1846939dfc3ccd3704b31fc98d21d664f19a3a4d39cf99d5683bbec2
SHA512c9622babbf8e62cc0a336af03c3a58fc873688bfdc2b7e9539029c0c8cb1b62890b2f23e3779189a502963a42d0c4dab74c656f7089a78de68c9c91a26b9e85f