Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14/02/2024, 16:54
Behavioral task
behavioral1
Sample
9c2f2a802bdb164a5af227b7549ec806.exe
Resource
win7-20231129-en
General
-
Target
9c2f2a802bdb164a5af227b7549ec806.exe
-
Size
784KB
-
MD5
9c2f2a802bdb164a5af227b7549ec806
-
SHA1
0b008ff1a18f954568da59b16497d87428b62c54
-
SHA256
12d2f681c6950ee43a28ddced3741761f0fcf85827c3a52c2701bd9ce0bd5ed1
-
SHA512
f304f3acb4e110121965b18e26896823f2f0113f1317775867c511b755704d005863724aa915e1ae6f53c1c8b0cbd36e587f865e235029dfed1dbad0f41e66a7
-
SSDEEP
24576:KR/l8p/TiOJwpykYvbfpEF00w856j9p1Bl:KR/lW/3JwEkIbREF00d6j9p1
Malware Config
Signatures
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral1/memory/780-1-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/780-14-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/1916-19-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/1916-26-0x00000000030A0000-0x0000000003233000-memory.dmp xmrig behavioral1/memory/1916-24-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/1916-35-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/1916-34-0x00000000005A0000-0x000000000071F000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 1916 9c2f2a802bdb164a5af227b7549ec806.exe -
Executes dropped EXE 1 IoCs
pid Process 1916 9c2f2a802bdb164a5af227b7549ec806.exe -
Loads dropped DLL 1 IoCs
pid Process 780 9c2f2a802bdb164a5af227b7549ec806.exe -
resource yara_rule behavioral1/memory/780-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral1/files/0x000900000001447e-10.dat upx behavioral1/memory/780-15-0x0000000003220000-0x0000000003532000-memory.dmp upx behavioral1/memory/1916-17-0x0000000000400000-0x0000000000712000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 780 9c2f2a802bdb164a5af227b7549ec806.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 780 9c2f2a802bdb164a5af227b7549ec806.exe 1916 9c2f2a802bdb164a5af227b7549ec806.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 780 wrote to memory of 1916 780 9c2f2a802bdb164a5af227b7549ec806.exe 29 PID 780 wrote to memory of 1916 780 9c2f2a802bdb164a5af227b7549ec806.exe 29 PID 780 wrote to memory of 1916 780 9c2f2a802bdb164a5af227b7549ec806.exe 29 PID 780 wrote to memory of 1916 780 9c2f2a802bdb164a5af227b7549ec806.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c2f2a802bdb164a5af227b7549ec806.exe"C:\Users\Admin\AppData\Local\Temp\9c2f2a802bdb164a5af227b7549ec806.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Local\Temp\9c2f2a802bdb164a5af227b7549ec806.exeC:\Users\Admin\AppData\Local\Temp\9c2f2a802bdb164a5af227b7549ec806.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1916
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD52f5bb8203358a3b879895c6f61ae340c
SHA1a7aed7c1b0e4d29e57e297a9558595bc405e4583
SHA256d0beea21424d22791a7ed064297d1e0fbd6372c58dd461f8c2ff808dcd8170f1
SHA512e97a90ebdd3cd0c14c547433d64c008d07c61901e6dfccc0f73404d6921e172e92c9f392eb3ace149c34f000b46f75ce040c6600915ea3d86a4a7fa42c50472c