Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06/02/2024, 04:12
Behavioral task
behavioral1
Sample
93ca71fa068d7177651e2750a371d350.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
93ca71fa068d7177651e2750a371d350.exe
Resource
win10v2004-20231215-en
General
-
Target
93ca71fa068d7177651e2750a371d350.exe
-
Size
5.8MB
-
MD5
93ca71fa068d7177651e2750a371d350
-
SHA1
4c797370bcaa40652c7d28ecbe325dbd37775e2d
-
SHA256
6977a07ebd1e5168eb18849c675fd2ff2c24a1cc5a0230d48d9d31dc95d45fdb
-
SHA512
67ef8d10bf904f193eeff75c8082ef2db10128e8b02819dfb39ece2f1a355b60eab9d1f454096222d5764f9524a529d08ffb226ceddfd41c9bcd027499f10ea7
-
SSDEEP
98304:pOSH193+vtrRW4HBUCczzM3dnEprLuV94HBUCczzM3:J0VDWCBeuMWC
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 3016 93ca71fa068d7177651e2750a371d350.exe -
Executes dropped EXE 1 IoCs
pid Process 3016 93ca71fa068d7177651e2750a371d350.exe -
Loads dropped DLL 1 IoCs
pid Process 1984 93ca71fa068d7177651e2750a371d350.exe -
resource yara_rule behavioral1/memory/1984-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000800000000b529-10.dat upx behavioral1/files/0x000800000000b529-13.dat upx behavioral1/memory/3016-16-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1984 93ca71fa068d7177651e2750a371d350.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1984 93ca71fa068d7177651e2750a371d350.exe 3016 93ca71fa068d7177651e2750a371d350.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1984 wrote to memory of 3016 1984 93ca71fa068d7177651e2750a371d350.exe 28 PID 1984 wrote to memory of 3016 1984 93ca71fa068d7177651e2750a371d350.exe 28 PID 1984 wrote to memory of 3016 1984 93ca71fa068d7177651e2750a371d350.exe 28 PID 1984 wrote to memory of 3016 1984 93ca71fa068d7177651e2750a371d350.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\93ca71fa068d7177651e2750a371d350.exe"C:\Users\Admin\AppData\Local\Temp\93ca71fa068d7177651e2750a371d350.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\93ca71fa068d7177651e2750a371d350.exeC:\Users\Admin\AppData\Local\Temp\93ca71fa068d7177651e2750a371d350.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3016
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5c818ce5a87a0c6a8b8bfb20ceaee824b
SHA137cd0a7cef71cc919bf2ee1f1576157f02cfb4b5
SHA256a4e81f93e59acc5117fd0165e9ec236e8eac3214ee102f02827c82bdeae94820
SHA512d2e6e1038ac5eff01a8f482dc52d49258299758d8829fda13d33fcbb0f1e7bb21994835ee3ecf093ac0250934381317d990c34ede2a58b53d44761196e484aed
-
Filesize
2.0MB
MD51ffada7e158bad21db7e9ff816152479
SHA152bf4ecc841dac327856f2b0eb3f6ec306216c19
SHA25647255a988930f2b7d7ea6afe1aa0d2c074fbab2e78e9330aafa331ed3da440ce
SHA5126dd8706b1269050ebf02e48fbd2fea903bddea48cee908078b45b2bb66f5dfe3978c90e381047e01cbe5ebddf2c85be162f8f822a47987236b550d9f36938d40