Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/03/2024, 16:00
Behavioral task
behavioral1
Sample
c3c49ba1f06fca8a8b0b43c09f02711d.exe
Resource
win7-20240221-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
c3c49ba1f06fca8a8b0b43c09f02711d.exe
Resource
win10v2004-20240226-en
2 signatures
150 seconds
General
-
Target
c3c49ba1f06fca8a8b0b43c09f02711d.exe
-
Size
9KB
-
MD5
c3c49ba1f06fca8a8b0b43c09f02711d
-
SHA1
9edc8837f7d70828f39744408f9f3158853b0333
-
SHA256
32c2b7bbc4c7aa1e4c3c4512512bc5e0995c27884f1e484f57a9a9299c8d6dc9
-
SHA512
2667ff0c67ae09193cad370aa7134e417b150d9347e9a4895fa1151be00d7518a7cae67d616333fe6716c809bdb43b9a17f3de747be5dd46dabc974ecce9694a
-
SSDEEP
96:r2Q9dAIgfheyX7NY27MqHn2WfnamnQ4LIB/sWn/KPJAmwhhlkqRnKsmMf9ka:JXAFJdq2/faNns0/KPSr+qknCJ
Score
8/10
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run c3c49ba1f06fca8a8b0b43c09f02711d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\this = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c3c49ba1f06fca8a8b0b43c09f02711d.exe" c3c49ba1f06fca8a8b0b43c09f02711d.exe -
resource yara_rule behavioral1/memory/2156-0-0x0000000000400000-0x000000000040A000-memory.dmp upx -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2156 wrote to memory of 3016 2156 c3c49ba1f06fca8a8b0b43c09f02711d.exe 28 PID 2156 wrote to memory of 3016 2156 c3c49ba1f06fca8a8b0b43c09f02711d.exe 28 PID 2156 wrote to memory of 3016 2156 c3c49ba1f06fca8a8b0b43c09f02711d.exe 28 PID 2156 wrote to memory of 3016 2156 c3c49ba1f06fca8a8b0b43c09f02711d.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3c49ba1f06fca8a8b0b43c09f02711d.exe"C:\Users\Admin\AppData\Local\Temp\c3c49ba1f06fca8a8b0b43c09f02711d.exe"1⤵
- Adds policy Run key to start application
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\ctfmon.exectfmon.exe2⤵PID:3016
-