Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
05/02/2024, 15:47
Behavioral task
behavioral1
Sample
92636d9c2da69fb67865ba74e808b505.exe
Resource
win7-20231215-en
General
-
Target
92636d9c2da69fb67865ba74e808b505.exe
-
Size
2.9MB
-
MD5
92636d9c2da69fb67865ba74e808b505
-
SHA1
cb842a0d0caa6acf930498613d1c52021ed2dbeb
-
SHA256
e8feb0667bf27d715e0d5c0ee9e5d3dfe73d4048644a30e46ed6c3b3a1dc4d37
-
SHA512
d9d8f546968f6725e3ba565e3cd612ba2d15d645da59992567609520c284b8fb85457fd57082093de0e400a3729e31b0b4c9f0e888e41eb631cd025476da93d0
-
SSDEEP
49152:VmpKxfhU48zky2SZh7knIf4DuYdexNW6TdKP4M338dB2IBlGuuDVUsdxxjeQZwxs:WKxfhLpytbcIf4Du4o5TYgg3gnl/IVU8
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 3332 92636d9c2da69fb67865ba74e808b505.exe -
Executes dropped EXE 1 IoCs
pid Process 3332 92636d9c2da69fb67865ba74e808b505.exe -
resource yara_rule behavioral2/memory/4976-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x00070000000231f7-11.dat upx behavioral2/memory/3332-13-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4976 92636d9c2da69fb67865ba74e808b505.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4976 92636d9c2da69fb67865ba74e808b505.exe 3332 92636d9c2da69fb67865ba74e808b505.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4976 wrote to memory of 3332 4976 92636d9c2da69fb67865ba74e808b505.exe 85 PID 4976 wrote to memory of 3332 4976 92636d9c2da69fb67865ba74e808b505.exe 85 PID 4976 wrote to memory of 3332 4976 92636d9c2da69fb67865ba74e808b505.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\92636d9c2da69fb67865ba74e808b505.exe"C:\Users\Admin\AppData\Local\Temp\92636d9c2da69fb67865ba74e808b505.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\92636d9c2da69fb67865ba74e808b505.exeC:\Users\Admin\AppData\Local\Temp\92636d9c2da69fb67865ba74e808b505.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3332
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306KB
MD520aeee364cf00cb3b56eaed004585852
SHA14f0f6ed142061b475f020c5001cff87e4db38508
SHA2561130d25a6d35e3ae553db19de8c19534edbc361ca1ad9cbd6a6e8941d8e8de9b
SHA512ed38c981c62b5d5c0851a8db4e900edf99c47d41736cc5a3d5e5102f00c4a7822b9069bb2f3b2e140450e67edc568b7eb1481d4f9e51528231e7721cad983b7d