Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10/03/2024, 16:31
Behavioral task
behavioral1
Sample
bf13a6c376b5a1496e188dd07a47dfbe.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
bf13a6c376b5a1496e188dd07a47dfbe.exe
Resource
win10v2004-20240226-en
General
-
Target
bf13a6c376b5a1496e188dd07a47dfbe.exe
-
Size
1.3MB
-
MD5
bf13a6c376b5a1496e188dd07a47dfbe
-
SHA1
4fb44812189a6a7685437de91361482c5fd469ed
-
SHA256
2ae7a48bcf7930076298cd9a181de3bc83effe79699eea4e17cac316ec02dd25
-
SHA512
a48ef8c77bb1ffb026666eed717b72a074254481cfd7833d0fa9c9176c0d6659689f16e9b2c3af3b0daad4f51bc12c570474a1885655811cfe7d03dda10576e5
-
SSDEEP
24576:zE3BsSSdWQXZgzGdhH7nmNmZtr+HObuHzrzNSqOUbXXBVgePcNUd09dEU9/9Us:zE3iBdWQXukJmN0eOizrzYkLxp0R9j
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2948 bf13a6c376b5a1496e188dd07a47dfbe.exe -
Executes dropped EXE 1 IoCs
pid Process 2948 bf13a6c376b5a1496e188dd07a47dfbe.exe -
Loads dropped DLL 1 IoCs
pid Process 2884 bf13a6c376b5a1496e188dd07a47dfbe.exe -
resource yara_rule behavioral1/memory/2884-0-0x0000000000400000-0x00000000008E7000-memory.dmp upx behavioral1/files/0x00090000000146c0-10.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2884 bf13a6c376b5a1496e188dd07a47dfbe.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2884 bf13a6c376b5a1496e188dd07a47dfbe.exe 2948 bf13a6c376b5a1496e188dd07a47dfbe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2884 wrote to memory of 2948 2884 bf13a6c376b5a1496e188dd07a47dfbe.exe 28 PID 2884 wrote to memory of 2948 2884 bf13a6c376b5a1496e188dd07a47dfbe.exe 28 PID 2884 wrote to memory of 2948 2884 bf13a6c376b5a1496e188dd07a47dfbe.exe 28 PID 2884 wrote to memory of 2948 2884 bf13a6c376b5a1496e188dd07a47dfbe.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf13a6c376b5a1496e188dd07a47dfbe.exe"C:\Users\Admin\AppData\Local\Temp\bf13a6c376b5a1496e188dd07a47dfbe.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\bf13a6c376b5a1496e188dd07a47dfbe.exeC:\Users\Admin\AppData\Local\Temp\bf13a6c376b5a1496e188dd07a47dfbe.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2948
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5fca7b836c8bbfacefc705104b7912a66
SHA10a185d0e5200df719b7250cb0e8e7d8eec7d6940
SHA256fd4a800fec2a002deef89dc0310845efb5bb59911046314dc862d9dfbfb4a81a
SHA5123d6d7a3ba4b1e5fc719640b00ad22488504513dca9db1a66df92fffb03e56d6918d31532fdeebc739013334b1402a366f97017f759795d3fc6a4fa953d172743