Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06/02/2024, 08:37
Behavioral task
behavioral1
Sample
94463c7bd67b1478fd80bc2b5e7ae2ae.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
94463c7bd67b1478fd80bc2b5e7ae2ae.exe
Resource
win10v2004-20231215-en
General
-
Target
94463c7bd67b1478fd80bc2b5e7ae2ae.exe
-
Size
2.7MB
-
MD5
94463c7bd67b1478fd80bc2b5e7ae2ae
-
SHA1
2846dfcd6a8f0fc40341d3133bb84ba049a0fee4
-
SHA256
026e7311280d3c6a06a979ae465de42a8b7cd99e0b0ac7d6e11eb071b441b56b
-
SHA512
afe778d3cb8dd07f5163946635f5d4539479539453766b0e2f5e5c183ebe7ac0bc1dc47c1a1402c547972c56cdbe2493c79f042411a8eb1cc85d4a02b6a0b537
-
SSDEEP
49152:cWrky6fuV5uziGgkXAcj3VFqJRx2Xr3qhrR9o334bIRbaLTtir8wV4jfUwLmy2pP:3vpV5u2UAOVFqJRx0r3qhrHq4bGaLTto
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2840 94463c7bd67b1478fd80bc2b5e7ae2ae.exe -
Executes dropped EXE 1 IoCs
pid Process 2840 94463c7bd67b1478fd80bc2b5e7ae2ae.exe -
Loads dropped DLL 1 IoCs
pid Process 3032 94463c7bd67b1478fd80bc2b5e7ae2ae.exe -
resource yara_rule behavioral1/memory/3032-0-0x0000000000400000-0x00000000008E7000-memory.dmp upx behavioral1/files/0x000a00000001224c-10.dat upx behavioral1/files/0x000a00000001224c-12.dat upx behavioral1/files/0x000a00000001224c-15.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3032 94463c7bd67b1478fd80bc2b5e7ae2ae.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3032 94463c7bd67b1478fd80bc2b5e7ae2ae.exe 2840 94463c7bd67b1478fd80bc2b5e7ae2ae.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2840 3032 94463c7bd67b1478fd80bc2b5e7ae2ae.exe 28 PID 3032 wrote to memory of 2840 3032 94463c7bd67b1478fd80bc2b5e7ae2ae.exe 28 PID 3032 wrote to memory of 2840 3032 94463c7bd67b1478fd80bc2b5e7ae2ae.exe 28 PID 3032 wrote to memory of 2840 3032 94463c7bd67b1478fd80bc2b5e7ae2ae.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe"C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exeC:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2840
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5520d9f14863254b2a361107670850b89
SHA1c6f8f7b72c1aaa230a5e8b4616e9f0139e9607e7
SHA25614f733791555d87b8f06680beb690483352427a7e1642548253b48258ba75a72
SHA5126e0661d4c29f755827b9bd7cb254d347effbf634e1efb8d436e186c280c5806daa5b2d42c94081d230bd29f75aefd4e4cfd423af64f2f5e8e274960f3ce35492
-
Filesize
1.9MB
MD5bdb6677e10bd571204fef064c552c1da
SHA1997c2ad89279da8b1ba6fd605937a386a56d0f7f
SHA256a83c39994bf65b3ec2465998a52a321ca2c9703387f6453b1a62a032896e0d8f
SHA512604f3f232c6726264e96b6577db9cdf69ba69ee284dd6e09f831ec656cae141f632ad1f68c867fa7751d67d068e5abdbd38819bc11e17341c2ce488e3f9a5303
-
Filesize
803KB
MD5f5203311d848310bc6303ed1fec84a11
SHA12c85bda0054ad5eae489a58cea7ad52184904bbf
SHA25638c4befff0c635709f2c7a8a2978a060a2ebea91f71d92887775d487a4d250af
SHA5126d8c621d2df49a568ea598305dc043f3bb2b6de3cb29d8553e77c5d66cf2b07ad78b74ba8b42e0429926cac296958c0e27d690fccb5d2bb19a5bbaf71adf8eea