Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 14:05
Behavioral task
behavioral1
Sample
b250c62b3f1da424611acaf3ab5621ce.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b250c62b3f1da424611acaf3ab5621ce.exe
Resource
win10v2004-20240226-en
General
-
Target
b250c62b3f1da424611acaf3ab5621ce.exe
-
Size
11KB
-
MD5
b250c62b3f1da424611acaf3ab5621ce
-
SHA1
a43ebdf943903fd5ac8d9cf890239218e6b5ce86
-
SHA256
4d4648899888a3eab3c24681b9478ec172d1605a2a4d8d7a1c6e939b4739e8eb
-
SHA512
5d42c443102f3d8bcb793d591a6dca79d045897ba275aa27f4733a767f534192c847cda480a99011888f9e32bdbad26650d4534a71bf765e18860b1b35e1ffcf
-
SSDEEP
192:0aww1AUaE0Pmr6iZTK+jZWPFfn6Kv1e1Box18KkNLPS7bg:JAK0PmOiZTZItnf1UB6GKkNL6Pg
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Deletes itself 1 IoCs
pid Process 2024 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2040 zfashlk.exe -
Loads dropped DLL 2 IoCs
pid Process 2240 b250c62b3f1da424611acaf3ab5621ce.exe 2240 b250c62b3f1da424611acaf3ab5621ce.exe -
resource yara_rule behavioral1/memory/2240-0-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/files/0x0007000000016d84-3.dat upx behavioral1/memory/2240-4-0x0000000000240000-0x000000000024E000-memory.dmp upx behavioral1/memory/2040-12-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2240-13-0x0000000000400000-0x000000000040E000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\zfashlk.exe b250c62b3f1da424611acaf3ab5621ce.exe File opened for modification C:\Windows\SysWOW64\zfashlk.exe b250c62b3f1da424611acaf3ab5621ce.exe File created C:\Windows\SysWOW64\zfashl.dll b250c62b3f1da424611acaf3ab5621ce.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2240 b250c62b3f1da424611acaf3ab5621ce.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2040 2240 b250c62b3f1da424611acaf3ab5621ce.exe 30 PID 2240 wrote to memory of 2040 2240 b250c62b3f1da424611acaf3ab5621ce.exe 30 PID 2240 wrote to memory of 2040 2240 b250c62b3f1da424611acaf3ab5621ce.exe 30 PID 2240 wrote to memory of 2040 2240 b250c62b3f1da424611acaf3ab5621ce.exe 30 PID 2240 wrote to memory of 2024 2240 b250c62b3f1da424611acaf3ab5621ce.exe 31 PID 2240 wrote to memory of 2024 2240 b250c62b3f1da424611acaf3ab5621ce.exe 31 PID 2240 wrote to memory of 2024 2240 b250c62b3f1da424611acaf3ab5621ce.exe 31 PID 2240 wrote to memory of 2024 2240 b250c62b3f1da424611acaf3ab5621ce.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe"C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\zfashlk.exeC:\Windows\system32\zfashlk.exe ˜‰2⤵
- Executes dropped EXE
PID:2040
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\b250c62b3f1da424611acaf3ab5621ce.exe.bat2⤵
- Deletes itself
PID:2024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD54abb5163230be467435a2827f3b68eb8
SHA15d2019d79979f71474b25f0aecae903a7d73b2ce
SHA256284679f68ed1de52106de7ed96dfe033ea1132f2873ed5a18fc9f5a72b3e21b7
SHA512bd62daa58d797ce87a255e931dec507a4c583c5693f679703d932666ff266e5f0c4d8ed16e8d1a309a2d3f2f29debe30dc32589409ab9dfa7cf6f8cdcd49e377
-
Filesize
11KB
MD5b250c62b3f1da424611acaf3ab5621ce
SHA1a43ebdf943903fd5ac8d9cf890239218e6b5ce86
SHA2564d4648899888a3eab3c24681b9478ec172d1605a2a4d8d7a1c6e939b4739e8eb
SHA5125d42c443102f3d8bcb793d591a6dca79d045897ba275aa27f4733a767f534192c847cda480a99011888f9e32bdbad26650d4534a71bf765e18860b1b35e1ffcf