Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
10/03/2024, 23:31
Static task
static1
Behavioral task
behavioral1
Sample
bf3e2b7e1d058aa6de1ed557e292814d.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
bf3e2b7e1d058aa6de1ed557e292814d.exe
Resource
win10v2004-20240226-en
General
-
Target
bf3e2b7e1d058aa6de1ed557e292814d.exe
-
Size
208KB
-
MD5
bf3e2b7e1d058aa6de1ed557e292814d
-
SHA1
4dd55c8113abba9dfdc2374078f9790866ed6b64
-
SHA256
1a432f2085120f3804f9bf787187169e53084500636fe1bac92f092e15f66176
-
SHA512
1e56084deef7731471705e63a14f2f24d5432a50cd33977ec91c2a7079fcf420d248c2d2f2c2bfb6afb76b3ea4d1a51af319c27415d65a7c701f5f984c9393ae
-
SSDEEP
6144:ml0n6augQyP0JEO8q9B0h3X0uNVbXNADFS5uKA/TIB:xn6auC8Jl8qMhnxVb9ADFS5uzTI
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 3000 u.dll 2732 u.dll 2912 mpress.exe -
Loads dropped DLL 6 IoCs
pid Process 2944 cmd.exe 2944 cmd.exe 2944 cmd.exe 2944 cmd.exe 2732 u.dll 2732 u.dll -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2740 wrote to memory of 2944 2740 bf3e2b7e1d058aa6de1ed557e292814d.exe 29 PID 2740 wrote to memory of 2944 2740 bf3e2b7e1d058aa6de1ed557e292814d.exe 29 PID 2740 wrote to memory of 2944 2740 bf3e2b7e1d058aa6de1ed557e292814d.exe 29 PID 2740 wrote to memory of 2944 2740 bf3e2b7e1d058aa6de1ed557e292814d.exe 29 PID 2944 wrote to memory of 3000 2944 cmd.exe 30 PID 2944 wrote to memory of 3000 2944 cmd.exe 30 PID 2944 wrote to memory of 3000 2944 cmd.exe 30 PID 2944 wrote to memory of 3000 2944 cmd.exe 30 PID 2944 wrote to memory of 2732 2944 cmd.exe 31 PID 2944 wrote to memory of 2732 2944 cmd.exe 31 PID 2944 wrote to memory of 2732 2944 cmd.exe 31 PID 2944 wrote to memory of 2732 2944 cmd.exe 31 PID 2732 wrote to memory of 2912 2732 u.dll 32 PID 2732 wrote to memory of 2912 2732 u.dll 32 PID 2732 wrote to memory of 2912 2732 u.dll 32 PID 2732 wrote to memory of 2912 2732 u.dll 32 PID 2944 wrote to memory of 2548 2944 cmd.exe 33 PID 2944 wrote to memory of 2548 2944 cmd.exe 33 PID 2944 wrote to memory of 2548 2944 cmd.exe 33 PID 2944 wrote to memory of 2548 2944 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf3e2b7e1d058aa6de1ed557e292814d.exe"C:\Users\Admin\AppData\Local\Temp\bf3e2b7e1d058aa6de1ed557e292814d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\140D.tmp\vir.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save bf3e2b7e1d058aa6de1ed557e292814d.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
PID:3000
-
-
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\2FF6.tmp\mpress.exe"C:\Users\Admin\AppData\Local\Temp\2FF6.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe2FF7.tmp"4⤵
- Executes dropped EXE
PID:2912
-
-
-
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵PID:2548
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c967404114b059eff8c96c064cc4cc97
SHA1a193f6b4311ce38ea87f3c3999ff10f11d1e0659
SHA256aa583180492d35d6bbfabe582c263a3c682ab628cdddd8861ab765caf190e148
SHA512338cdfc682b23bc2ef2e6c3284e183160c2b3aa9ac4d15e8eab67c1c0c1bdfed871905df2161ebd8f7ff06cf4f0a065b76d7defb3239258b1de4a0707a1edaa6
-
Filesize
24KB
MD57cda353434725a4a3712954fd3ded290
SHA1d8348e79d6bcee527743b126026367d700ddb436
SHA2567e781837fa89a8ead0a14c14a7f2125a89bb7b33d2ccc358f6b8ad22924b5e86
SHA5124ac257fe8e0772adc8aa1a2626153c473554c341c025959dd994100c43e2cec274e8a532e0c1b5c0ecdf463733d25a63767b995b731ce272b1c7a3ad0820b95d
-
Filesize
41KB
MD57aa367dca7be65e07b16bd69f06263e3
SHA1d447739251408f8e8490a9d307927bfbe41737ce
SHA256738bf50547320b0683af727ad6d430f2e7b83c846fe24f91527b7ee263bfa076
SHA512d7884589d7d12a628c9e07b77b3b793fa91f67fe13563e7b072ca864e053e6b7d711852e30ae1c877576b8ad47f67d2826e8ee711e6b65a329baa57492fe31b3
-
Filesize
700KB
MD53c9568b0d86a865f9f73d9c0967cfdad
SHA13270df3e0e600f4df2c3cbc384837693a8a3a83e
SHA256c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6
SHA512bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f
-
Filesize
1KB
MD5585482c70b7868d36ec7e7ef19da8dd3
SHA14939b633661c2c1e003a7afb54adec3e3a616ef6
SHA256c6b7c9c3551fc0744f3d4dc439b92a5395bf79858d755e3e4e586a17c6ea8560
SHA5128d38a91c821c1103efcf24dd84e5a9bd9ba724b4b7cf4d04efae1fc574cab3f181701b040725e52a6a19dea80aeaf4f3f46ffeeac1a70d0be5a903e041b2169f
-
Filesize
1KB
MD55f5477878b579b5f20971abac7e6a6ee
SHA188186a9a0765414b246ac3272480c9e27b3bab8c
SHA256fee4a02103f7dbc5a88525c0bbc92c9402e8c5f523993f23229ba90825276760
SHA512ce05f41cda138d94fd89f9f7328bf5ce0bb493a15d16123b457d182eab7f42b078fa5d62b40780efa9efa3ea7daef4c36fb5d6eae73bcebd29037d3b02ee877e
-
Filesize
100KB
MD5e42b81b9636152c78ba480c1c47d3c7f
SHA166a2fca3925428ee91ad9df5b76b90b34d28e0f8
SHA2567c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2
SHA5124b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e