Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06/02/2024, 13:20
Static task
static1
Behavioral task
behavioral1
Sample
94991507c04f29915d7afeb6a1ce2c0b.exe
Resource
win7-20231215-en
General
-
Target
94991507c04f29915d7afeb6a1ce2c0b.exe
-
Size
429KB
-
MD5
94991507c04f29915d7afeb6a1ce2c0b
-
SHA1
bb71a4a11a793cd6e4554e6cfa415bc93509599d
-
SHA256
0369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f
-
SHA512
b1df63faa49c0f5aed4973375e2b70da477126f1b651418be038ba66ddadee7e89cf20db56504e0d8d42a01490cc6312613c72e82056ed1ade4af6693df734b0
-
SSDEEP
12288:gErZ1tp5Be+DDqzzATxOife+iOANdt8DKxvqcldx/oVIY:gE9x5bXE8oif9U8DKRqEdx/x
Malware Config
Extracted
gozi
Extracted
gozi
10030
jscallowallowallowjcli.me
disallowjscuserallow.pw
-
build
215790
-
dga_base_url
z1.zedo.com/robots.txt
-
dga_crc
0x246640bb
-
exe_type
worker
-
server_id
12
Signatures
-
Deletes itself 1 IoCs
pid Process 2788 amxrerop.exe -
Executes dropped EXE 1 IoCs
pid Process 2788 amxrerop.exe -
Loads dropped DLL 2 IoCs
pid Process 2792 cmd.exe 2792 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmdisnap = "C:\\Users\\Admin\\AppData\\Roaming\\Audiedit\\amxrerop.exe" 94991507c04f29915d7afeb6a1ce2c0b.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2788 set thread context of 2724 2788 amxrerop.exe 32 PID 2724 set thread context of 1244 2724 svchost.exe 15 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2788 amxrerop.exe 1244 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2788 amxrerop.exe 2724 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1244 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2340 1688 94991507c04f29915d7afeb6a1ce2c0b.exe 28 PID 1688 wrote to memory of 2340 1688 94991507c04f29915d7afeb6a1ce2c0b.exe 28 PID 1688 wrote to memory of 2340 1688 94991507c04f29915d7afeb6a1ce2c0b.exe 28 PID 1688 wrote to memory of 2340 1688 94991507c04f29915d7afeb6a1ce2c0b.exe 28 PID 2340 wrote to memory of 2792 2340 cmd.exe 30 PID 2340 wrote to memory of 2792 2340 cmd.exe 30 PID 2340 wrote to memory of 2792 2340 cmd.exe 30 PID 2340 wrote to memory of 2792 2340 cmd.exe 30 PID 2792 wrote to memory of 2788 2792 cmd.exe 31 PID 2792 wrote to memory of 2788 2792 cmd.exe 31 PID 2792 wrote to memory of 2788 2792 cmd.exe 31 PID 2792 wrote to memory of 2788 2792 cmd.exe 31 PID 2788 wrote to memory of 2724 2788 amxrerop.exe 32 PID 2788 wrote to memory of 2724 2788 amxrerop.exe 32 PID 2788 wrote to memory of 2724 2788 amxrerop.exe 32 PID 2788 wrote to memory of 2724 2788 amxrerop.exe 32 PID 2788 wrote to memory of 2724 2788 amxrerop.exe 32 PID 2788 wrote to memory of 2724 2788 amxrerop.exe 32 PID 2788 wrote to memory of 2724 2788 amxrerop.exe 32 PID 2724 wrote to memory of 1244 2724 svchost.exe 15 PID 2724 wrote to memory of 1244 2724 svchost.exe 15 PID 2724 wrote to memory of 1244 2724 svchost.exe 15
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b.exe"C:\Users\Admin\AppData\Local\Temp\94991507c04f29915d7afeb6a1ce2c0b.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\85B4\42DA.bat" "C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe"C:\Users\Admin\AppData\Roaming\Audiedit\amxrerop.exe" "C:\Users\Admin\AppData\Local\Temp\949915~1.EXE"5⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2724
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112B
MD525ed7e258d74edf77d9f17725d88ddf8
SHA1727cc6cfe22b941d45f9aaae9ca49c0f4fdb44fe
SHA25689de0f0678f1d1d3f924589fbf24c5ef9f517d45db65a922291e553009a19962
SHA5129fd6cec31f46daccf0a1d3692353803d37a864332e898b0e38f0cf21a4a63cc5537d0001f1d70247f9eaccaa5de6bc98964553fd7065a79b8f827d4e30913db3
-
Filesize
429KB
MD594991507c04f29915d7afeb6a1ce2c0b
SHA1bb71a4a11a793cd6e4554e6cfa415bc93509599d
SHA2560369d29e8f8ac8c5408ade862673a5220f39e9f79cf68ad4d0e692c843e3ff9f
SHA512b1df63faa49c0f5aed4973375e2b70da477126f1b651418be038ba66ddadee7e89cf20db56504e0d8d42a01490cc6312613c72e82056ed1ade4af6693df734b0