Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/02/2024, 15:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
94e0e16592795ed3bc3a276710711384.exe
Resource
win7-20231215-en
5 signatures
150 seconds
General
-
Target
94e0e16592795ed3bc3a276710711384.exe
-
Size
200KB
-
MD5
94e0e16592795ed3bc3a276710711384
-
SHA1
bb3aea39464fb0762d47fe8b479c74b447889761
-
SHA256
88e078a07a8fd47f46bd1eea28cd80182c87d3bf3fa6119baafaaa554f719f74
-
SHA512
6d77006e22866990ac5ef5a296ec3d20aadce5fa85eb00aece9e7bb8ccb044411a810d77a3bfd2d333fe4ebd1617539334dd5ff05f08eb5f8a6737b56517dce4
-
SSDEEP
6144:317R4t23DRTWWdMpLruRv+F5MsFfaHGGbyvM:T+cDRCWdM9SRveFfa5yvM
Malware Config
Extracted
Family
gozi
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2984 set thread context of 1960 2984 94e0e16592795ed3bc3a276710711384.exe 84 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1960 94e0e16592795ed3bc3a276710711384.exe 1960 94e0e16592795ed3bc3a276710711384.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2984 94e0e16592795ed3bc3a276710711384.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2984 wrote to memory of 1960 2984 94e0e16592795ed3bc3a276710711384.exe 84 PID 2984 wrote to memory of 1960 2984 94e0e16592795ed3bc3a276710711384.exe 84 PID 2984 wrote to memory of 1960 2984 94e0e16592795ed3bc3a276710711384.exe 84 PID 2984 wrote to memory of 1960 2984 94e0e16592795ed3bc3a276710711384.exe 84 PID 2984 wrote to memory of 1960 2984 94e0e16592795ed3bc3a276710711384.exe 84 PID 2984 wrote to memory of 1960 2984 94e0e16592795ed3bc3a276710711384.exe 84 PID 2984 wrote to memory of 1960 2984 94e0e16592795ed3bc3a276710711384.exe 84 PID 2984 wrote to memory of 1960 2984 94e0e16592795ed3bc3a276710711384.exe 84 PID 1960 wrote to memory of 3340 1960 94e0e16592795ed3bc3a276710711384.exe 85 PID 1960 wrote to memory of 3340 1960 94e0e16592795ed3bc3a276710711384.exe 85 PID 1960 wrote to memory of 3340 1960 94e0e16592795ed3bc3a276710711384.exe 85 PID 1960 wrote to memory of 3460 1960 94e0e16592795ed3bc3a276710711384.exe 36
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\94e0e16592795ed3bc3a276710711384.exe"C:\Users\Admin\AppData\Local\Temp\94e0e16592795ed3bc3a276710711384.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\94e0e16592795ed3bc3a276710711384.exeC:\Users\Admin\AppData\Local\Temp\94e0e16592795ed3bc3a276710711384.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:3340
-
-
-