Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13/02/2024, 05:42
Static task
static1
Behavioral task
behavioral1
Sample
989e2858a22e471d98c520e5db5e9feb.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
989e2858a22e471d98c520e5db5e9feb.exe
Resource
win10v2004-20231215-en
General
-
Target
989e2858a22e471d98c520e5db5e9feb.exe
-
Size
1000KB
-
MD5
989e2858a22e471d98c520e5db5e9feb
-
SHA1
0bafa36addf965377fc96517bd85e2855da6a490
-
SHA256
56e633ded12bec1ff1a07fd6cf3343bd8af427411f7ca8d216e5d9adca214c38
-
SHA512
0595cecdb9caf4d704207e2ae42ee3d0b327697370e245b97c694065c0fca665aeb2dec0083c5c16dc7af450b6d6fd84e3a1ec4611adf1aa227b1a2f24fb5fa7
-
SSDEEP
24576:+n+WTLGHSkw68v+SQ0K3PTfk4a1B+5vMiqt0gj2ed:+n+WTqHSkw68v+SZKrczqOL
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2296 989e2858a22e471d98c520e5db5e9feb.exe -
Executes dropped EXE 1 IoCs
pid Process 2296 989e2858a22e471d98c520e5db5e9feb.exe -
Loads dropped DLL 1 IoCs
pid Process 1936 989e2858a22e471d98c520e5db5e9feb.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 pastebin.com 7 pastebin.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2296 989e2858a22e471d98c520e5db5e9feb.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2664 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2296 989e2858a22e471d98c520e5db5e9feb.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1936 989e2858a22e471d98c520e5db5e9feb.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1936 989e2858a22e471d98c520e5db5e9feb.exe 2296 989e2858a22e471d98c520e5db5e9feb.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1936 wrote to memory of 2296 1936 989e2858a22e471d98c520e5db5e9feb.exe 20 PID 1936 wrote to memory of 2296 1936 989e2858a22e471d98c520e5db5e9feb.exe 20 PID 1936 wrote to memory of 2296 1936 989e2858a22e471d98c520e5db5e9feb.exe 20 PID 1936 wrote to memory of 2296 1936 989e2858a22e471d98c520e5db5e9feb.exe 20 PID 2296 wrote to memory of 2664 2296 989e2858a22e471d98c520e5db5e9feb.exe 19 PID 2296 wrote to memory of 2664 2296 989e2858a22e471d98c520e5db5e9feb.exe 19 PID 2296 wrote to memory of 2664 2296 989e2858a22e471d98c520e5db5e9feb.exe 19 PID 2296 wrote to memory of 2664 2296 989e2858a22e471d98c520e5db5e9feb.exe 19
Processes
-
C:\Users\Admin\AppData\Local\Temp\989e2858a22e471d98c520e5db5e9feb.exe"C:\Users\Admin\AppData\Local\Temp\989e2858a22e471d98c520e5db5e9feb.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\989e2858a22e471d98c520e5db5e9feb.exeC:\Users\Admin\AppData\Local\Temp\989e2858a22e471d98c520e5db5e9feb.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2296
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\989e2858a22e471d98c520e5db5e9feb.exe" /TN Google_Trk_Updater /F1⤵
- Creates scheduled task(s)
PID:2664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
134KB
MD5b980b6e6ffa3a0ebe5168b29d2b757a8
SHA15ce0d3bfeff0641b68bfd757f69612d0231ba49b
SHA256bf048ab90f9522989a6b3e24506b237a251b082c69a189dfe2c9ac3de44beb48
SHA5128306e8c7dea1c0ab1a71f441f65a0c9e1d9d75d3af9e4e6b97bd70aeae3a1a70116235a5ef9c6e27fdc826d1edd6da2c77ab44a5efb258821c870aa860f693a9
-
Filesize
114KB
MD5466e8839aa7eb64a952f7d2dcdd6930c
SHA1aeace845c2f2d6d4ba8da0c76480ea0c43854d13
SHA256b7de55bcbb8b4c09ad8ec3fac94a0bee3a4d77285ac2b88164e76d9134bbdc8c
SHA512df412baed66ba39bed49003a530c5116f996def7d5eedf5011ee0f46788731ba2f86809f3d84736c3f87b9c8c677c2fd79a1f0c74b03e52ac2a3f46488fccb0e
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
155KB
MD5c19415a9e0508336d046708bbe0bea4e
SHA1f7c4ee84839976eccabc44c5772479208670749e
SHA256493426a5284b6d5c4731eee853c01ed56510bb459a98624137035bf4b72847ae
SHA51232e0c58ca13b320f27e2042d59b5255cf78d60cf0aef12749a9218664f4b39ef9248aa9771626297a35348fa3cb26d623d2cdfc21ce6ae0e69578b9a06101ff4