Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 08:42
Behavioral task
behavioral1
Sample
ae1f3bbd3e116661c35c4aaf7430472b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ae1f3bbd3e116661c35c4aaf7430472b.exe
Resource
win10v2004-20240226-en
General
-
Target
ae1f3bbd3e116661c35c4aaf7430472b.exe
-
Size
3.0MB
-
MD5
ae1f3bbd3e116661c35c4aaf7430472b
-
SHA1
b877f774a5a38c4c754b94dc98308dc900e07935
-
SHA256
0426b6382cb164e83c8198d8a5978099e177a55112180b321c7ebd6d3f102931
-
SHA512
72677c7ba8b607b35ed9c9ff44436ac82bf565e92c83d2f75aec0cf5ab9ec8ce535609bb212bbeae49dbd405067e99e67b2e04aa6d62ebff59473e372e957dc3
-
SSDEEP
49152:O3Suo2HNZz14C6DcakLVy5dv5sgpkB5+PcakLTSsiYMD4wPnQJcakLVy5dv5sgp4:O3k2HNt1scakhy595sgp9cak/SsiTD4M
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2100 ae1f3bbd3e116661c35c4aaf7430472b.exe -
Executes dropped EXE 1 IoCs
pid Process 2100 ae1f3bbd3e116661c35c4aaf7430472b.exe -
Loads dropped DLL 1 IoCs
pid Process 1740 ae1f3bbd3e116661c35c4aaf7430472b.exe -
resource yara_rule behavioral1/memory/1740-0-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral1/files/0x0008000000012254-11.dat upx behavioral1/memory/2100-18-0x0000000000400000-0x000000000065C000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 2 pastebin.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2624 schtasks.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1740 ae1f3bbd3e116661c35c4aaf7430472b.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1740 ae1f3bbd3e116661c35c4aaf7430472b.exe 2100 ae1f3bbd3e116661c35c4aaf7430472b.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2100 1740 ae1f3bbd3e116661c35c4aaf7430472b.exe 29 PID 1740 wrote to memory of 2100 1740 ae1f3bbd3e116661c35c4aaf7430472b.exe 29 PID 1740 wrote to memory of 2100 1740 ae1f3bbd3e116661c35c4aaf7430472b.exe 29 PID 1740 wrote to memory of 2100 1740 ae1f3bbd3e116661c35c4aaf7430472b.exe 29 PID 2100 wrote to memory of 2624 2100 ae1f3bbd3e116661c35c4aaf7430472b.exe 30 PID 2100 wrote to memory of 2624 2100 ae1f3bbd3e116661c35c4aaf7430472b.exe 30 PID 2100 wrote to memory of 2624 2100 ae1f3bbd3e116661c35c4aaf7430472b.exe 30 PID 2100 wrote to memory of 2624 2100 ae1f3bbd3e116661c35c4aaf7430472b.exe 30 PID 2100 wrote to memory of 2840 2100 ae1f3bbd3e116661c35c4aaf7430472b.exe 32 PID 2100 wrote to memory of 2840 2100 ae1f3bbd3e116661c35c4aaf7430472b.exe 32 PID 2100 wrote to memory of 2840 2100 ae1f3bbd3e116661c35c4aaf7430472b.exe 32 PID 2100 wrote to memory of 2840 2100 ae1f3bbd3e116661c35c4aaf7430472b.exe 32 PID 2840 wrote to memory of 2568 2840 cmd.exe 34 PID 2840 wrote to memory of 2568 2840 cmd.exe 34 PID 2840 wrote to memory of 2568 2840 cmd.exe 34 PID 2840 wrote to memory of 2568 2840 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae1f3bbd3e116661c35c4aaf7430472b.exe"C:\Users\Admin\AppData\Local\Temp\ae1f3bbd3e116661c35c4aaf7430472b.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\ae1f3bbd3e116661c35c4aaf7430472b.exeC:\Users\Admin\AppData\Local\Temp\ae1f3bbd3e116661c35c4aaf7430472b.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\ae1f3bbd3e116661c35c4aaf7430472b.exe" /TN ymuVbjyg4de6 /F3⤵
- Creates scheduled task(s)
PID:2624
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks.exe /Query /XML /TN ymuVbjyg4de6 > C:\Users\Admin\AppData\Local\Temp\pOycVPjrV.xml3⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Query /XML /TN ymuVbjyg4de64⤵PID:2568
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fbec6363e7fde51399f7afc24fb79a35
SHA192515bca3a34ae74068c2de45219f79225873d8f
SHA25653c260046cb45392ed90875d14b925d6449b3a32ff6f957639122b4e859ebe82
SHA5120e071f6808f0802546a644407984f23d33bd9c8e91529857f25e334f4928172e9310a9eb5f133459e1a672720648834f4e357389d7b7ca670656b6b3f18b641f
-
Filesize
3.0MB
MD548033ef10a8532d7b3dde2d8c41b9cc9
SHA1894737e723f6ffa5e7e0f7c7cc96007400ca6e91
SHA256af4f3d47e11865bb19c329582f82714799117803013385e665c13a4e0744a6c6
SHA512a9dcde3066bbeb39a14a6551a3a637e719029e9584cf9b915f9d2ea8b87e07807a42dcc109d0ff2a59a58c52b3f4f087891d6e69ebae4a325f44ee168ade1c65