Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
06/02/2024, 14:17
Behavioral task
behavioral1
Sample
94b7c515d1c9edc9bfe0c0980021cc17.exe
Resource
win7-20231215-en
General
-
Target
94b7c515d1c9edc9bfe0c0980021cc17.exe
-
Size
1.5MB
-
MD5
94b7c515d1c9edc9bfe0c0980021cc17
-
SHA1
164832858c0c26b1188d1aaac55b4f180ff4f3e3
-
SHA256
d5ca776c15dfec6e77bea6489f12c012f2d40a56dfa5e1f1ab3c9bc7515dec8e
-
SHA512
ca8c264ef37d72bac0db2a314b889fd9e41a6d6ec4f92b0b290ca7923b6680195737da53f9d1b38ded9495bee2834885fff84ef4681d649d497f4bafdda4276d
-
SSDEEP
24576:Sgnq+l4ueaS/xQzXrcCEcsNPgZRJ1nVnCxnz2eN0bbzDJW:L5DbAQz7fAhgZVNCxubz9
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 3324 94b7c515d1c9edc9bfe0c0980021cc17.exe -
Executes dropped EXE 1 IoCs
pid Process 3324 94b7c515d1c9edc9bfe0c0980021cc17.exe -
resource yara_rule behavioral2/memory/5092-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x00070000000231ff-11.dat upx behavioral2/memory/3324-13-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5092 94b7c515d1c9edc9bfe0c0980021cc17.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 5092 94b7c515d1c9edc9bfe0c0980021cc17.exe 3324 94b7c515d1c9edc9bfe0c0980021cc17.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5092 wrote to memory of 3324 5092 94b7c515d1c9edc9bfe0c0980021cc17.exe 17 PID 5092 wrote to memory of 3324 5092 94b7c515d1c9edc9bfe0c0980021cc17.exe 17 PID 5092 wrote to memory of 3324 5092 94b7c515d1c9edc9bfe0c0980021cc17.exe 17
Processes
-
C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe"C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exeC:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3324
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD59a4eca23f4046b7906608cc2d48a9d48
SHA13e7cdf59d9e66ab884a137999f14cdfa7ee657c3
SHA256b1a47750c0f04e225589b58ef8b7a24a998f8d34cf7047e962b33274ea7bce24
SHA5128fb76eb09d508f563064781c8b8722b0a5a3d4dfcf43020301c82b2c9812658c8f09715d1cc135ea6f4e16ff5dc9a2fba7453ab8c24c9ec3fdd9009332cd1d48