Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/03/2024, 03:31
Behavioral task
behavioral1
Sample
b666d3aaf2ff25eaf72baff9b1233162.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b666d3aaf2ff25eaf72baff9b1233162.exe
Resource
win10v2004-20240226-en
General
-
Target
b666d3aaf2ff25eaf72baff9b1233162.exe
-
Size
2.9MB
-
MD5
b666d3aaf2ff25eaf72baff9b1233162
-
SHA1
684492f8c37e4fedd4a244d14d0a8a1c63da20f3
-
SHA256
0071d9d96323fa3f340b657b251067051024dbcce475aae3c67005cd23dfb4ef
-
SHA512
de74af2cd4a2cdf2569968497905ef4e89a8c6cc21ad5110c5c2765addec19fa0bd58615ab3bf526932c236e321f11f811446538494f7310ae8fdb99f19c3db3
-
SSDEEP
49152:G5514GLst9MHGk5/P/TNbmA4P4M338dB2IBlGuuDVUsdxxjeQZwxPYRKs:O52JmGk5/P/ZmA4gg3gnl/IVUs1jePs
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2968 b666d3aaf2ff25eaf72baff9b1233162.exe -
Executes dropped EXE 1 IoCs
pid Process 2968 b666d3aaf2ff25eaf72baff9b1233162.exe -
Loads dropped DLL 1 IoCs
pid Process 1880 b666d3aaf2ff25eaf72baff9b1233162.exe -
resource yara_rule behavioral1/memory/1880-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x00040000000130fc-10.dat upx behavioral1/files/0x00040000000130fc-14.dat upx behavioral1/memory/2968-16-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x00040000000130fc-12.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1880 b666d3aaf2ff25eaf72baff9b1233162.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1880 b666d3aaf2ff25eaf72baff9b1233162.exe 2968 b666d3aaf2ff25eaf72baff9b1233162.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1880 wrote to memory of 2968 1880 b666d3aaf2ff25eaf72baff9b1233162.exe 28 PID 1880 wrote to memory of 2968 1880 b666d3aaf2ff25eaf72baff9b1233162.exe 28 PID 1880 wrote to memory of 2968 1880 b666d3aaf2ff25eaf72baff9b1233162.exe 28 PID 1880 wrote to memory of 2968 1880 b666d3aaf2ff25eaf72baff9b1233162.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b666d3aaf2ff25eaf72baff9b1233162.exe"C:\Users\Admin\AppData\Local\Temp\b666d3aaf2ff25eaf72baff9b1233162.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\b666d3aaf2ff25eaf72baff9b1233162.exeC:\Users\Admin\AppData\Local\Temp\b666d3aaf2ff25eaf72baff9b1233162.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2968
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
896KB
MD5ea22fb2b86a626dc80da3f5b27e5f60a
SHA1e2821ca43e5f048134f11cffc9a86a37c377831d
SHA256a984a941e4f93bf2e99db7f2d6a64240a33f9d107453de5544e32c787446b4a8
SHA51244bf9c006ef78a595cc2489e585eaf63341194ac73c9d7ea97af02ee929813fbf909ee359f57c7c4b5f8ff23d3e779853fd26820ef8b22739395fffd01b4ae99
-
Filesize
2.6MB
MD5c9c200eb0766bfef521fc28970dacaf3
SHA1b3b9d87573c084a7c9bbcd8d167df7f26bc74e1a
SHA256c372d4e73405d8f8aa020c1cff864c1870a489e47a1ff70cec131543101cb436
SHA512729306f8bf7f5fb0a8e00f38b9e54530c1fb64e7eaad0a6f35e2eb6dca43c49516320a7c7d8be431a6968e8635b1078d71e7b708509b944ee78221929123e013
-
Filesize
2.9MB
MD5d8f0a8316aac776b95e1bb34b22e91cc
SHA1ac7ffac97ff530abdc58a4a2d9de8dd56d318a63
SHA256f0312883f34a9ae6a850b7a5046678026c04a89d46f25bfc430a315cac56bf6b
SHA512ef654cacc2a26887ee50c3b34d20009058ad043d51649302ccb8959a83990aa09a6382ef24f598d37cbedede02962e2d9e2d01e5e4c41af484b0da746490e5f1