Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/03/2024, 18:18
Behavioral task
behavioral1
Sample
bc7b7e679a5598f910b9fc68f897c4fc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bc7b7e679a5598f910b9fc68f897c4fc.exe
Resource
win10v2004-20240226-en
General
-
Target
bc7b7e679a5598f910b9fc68f897c4fc.exe
-
Size
5.3MB
-
MD5
bc7b7e679a5598f910b9fc68f897c4fc
-
SHA1
5856b4e7de854de30a7d5837c54a88a7215f3871
-
SHA256
6e2a1e8a8d8777da63255e153e611ba2826b5b565b40d27500bb0c0ae2e1f573
-
SHA512
467441176d4cc28aa1208ce0f798c0266fc71a8104989957eb1d8d17a336f4651d856e4ae398a4359f583ee317e72e5e271a4134ce0f338a0f2281ad6b5459fc
-
SSDEEP
98304:sxNE4wL0HVRGst2HAutVBGubFAHFDpLgutGDYNbycHVRGst2HAutVBGubFAHj:s/En0zXtsAutVlZAXUutGDYUczXtsAu8
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1840 bc7b7e679a5598f910b9fc68f897c4fc.exe -
Executes dropped EXE 1 IoCs
pid Process 1840 bc7b7e679a5598f910b9fc68f897c4fc.exe -
Loads dropped DLL 1 IoCs
pid Process 2160 bc7b7e679a5598f910b9fc68f897c4fc.exe -
resource yara_rule behavioral1/memory/2160-0-0x0000000000400000-0x00000000008E7000-memory.dmp upx behavioral1/files/0x000700000001225f-10.dat upx behavioral1/files/0x000700000001225f-15.dat upx behavioral1/memory/1840-16-0x0000000000400000-0x00000000008E7000-memory.dmp upx behavioral1/memory/2160-14-0x0000000003CA0000-0x0000000004187000-memory.dmp upx behavioral1/files/0x000700000001225f-12.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2160 bc7b7e679a5598f910b9fc68f897c4fc.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2160 bc7b7e679a5598f910b9fc68f897c4fc.exe 1840 bc7b7e679a5598f910b9fc68f897c4fc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2160 wrote to memory of 1840 2160 bc7b7e679a5598f910b9fc68f897c4fc.exe 27 PID 2160 wrote to memory of 1840 2160 bc7b7e679a5598f910b9fc68f897c4fc.exe 27 PID 2160 wrote to memory of 1840 2160 bc7b7e679a5598f910b9fc68f897c4fc.exe 27 PID 2160 wrote to memory of 1840 2160 bc7b7e679a5598f910b9fc68f897c4fc.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc7b7e679a5598f910b9fc68f897c4fc.exe"C:\Users\Admin\AppData\Local\Temp\bc7b7e679a5598f910b9fc68f897c4fc.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\bc7b7e679a5598f910b9fc68f897c4fc.exeC:\Users\Admin\AppData\Local\Temp\bc7b7e679a5598f910b9fc68f897c4fc.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1840
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD53bb058ac74c2d734c5d8b73b751a90ef
SHA1b38d19ed3100a5016e7fd1ba62fbcd6bd87ef463
SHA25699eb760b867b4f711b3a11b71b406aa88e747808e6634ae9c8a3ed4556118d38
SHA512033ac8d10ce4b9b4b7455464000e1a5d4211ec2711e7bdbc60f88fa5153354c1cd2b6ccaa0d90f2362f2178385b5bd78b928a7d3353ff374c0d3cbbd95856137
-
Filesize
4.1MB
MD5bc6325ed4b6370522e1045b7a2a3ab8e
SHA101d9ee95109f2173cad42a21e05daf2c5d316359
SHA25621c64f1d81b3ac52c822ba202bc699dde781ff9ffaa6519c2d60bd1947508bc6
SHA51225f73dfdcce588f7b24ed808c5cfdbdba289b91b9a82d418a4ca51ab3f95c6c4cddea98299a3184cb82b4e182598a0369894e39c45d5d7c2486338a8357076fc
-
Filesize
4.9MB
MD5cd2a3a9a59a5f62d1081e4185d2a043f
SHA117e48df63a6248e1d37b7013b4619eca13520a5a
SHA256527e1294fa15cb1a0ba2e5b44c33601b9113df951e25e4ebb11981c7e5886b1f
SHA512a5064b39b13dcd60e87c0ecb60378761fe6efcbfeb3426a3eb6b6cf27d84a869e5817eeeb418b2e1786c7e68721ac37bdfbb4b414e9954aaa67de4cf193b5948