Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 14:31
Behavioral task
behavioral1
Sample
c61d23cdfcb1361604e5cf7a8917fa2f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c61d23cdfcb1361604e5cf7a8917fa2f.exe
Resource
win10v2004-20240226-en
General
-
Target
c61d23cdfcb1361604e5cf7a8917fa2f.exe
-
Size
4.8MB
-
MD5
c61d23cdfcb1361604e5cf7a8917fa2f
-
SHA1
a737e6f4e1dca4708c988f8788bd29f8142f44bb
-
SHA256
c3b5677bcc4eca780769484da27129c6c700f58ec451037b48459c1997db843b
-
SHA512
d6dac9a2f45b55b72fea84db1fb92c4569ac1c5b6c30583fd59d60a8e66198e64dd2514cc0aed9673cd97f2c4fcc6721bb0c4de7954a2e43c152fa61708e68fc
-
SSDEEP
98304:chIFZZbRdgg3gnl/IVUs1jeCB1HuUuN1EJgg3gnl/IVUs1jr:cugl/iBBB1hm1Wgl/iBP
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2500 c61d23cdfcb1361604e5cf7a8917fa2f.exe -
Executes dropped EXE 1 IoCs
pid Process 2500 c61d23cdfcb1361604e5cf7a8917fa2f.exe -
Loads dropped DLL 1 IoCs
pid Process 1752 c61d23cdfcb1361604e5cf7a8917fa2f.exe -
resource yara_rule behavioral1/memory/1752-1-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x0009000000012226-13.dat upx behavioral1/files/0x0009000000012226-10.dat upx behavioral1/memory/2500-16-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1752 c61d23cdfcb1361604e5cf7a8917fa2f.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1752 c61d23cdfcb1361604e5cf7a8917fa2f.exe 2500 c61d23cdfcb1361604e5cf7a8917fa2f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1752 wrote to memory of 2500 1752 c61d23cdfcb1361604e5cf7a8917fa2f.exe 28 PID 1752 wrote to memory of 2500 1752 c61d23cdfcb1361604e5cf7a8917fa2f.exe 28 PID 1752 wrote to memory of 2500 1752 c61d23cdfcb1361604e5cf7a8917fa2f.exe 28 PID 1752 wrote to memory of 2500 1752 c61d23cdfcb1361604e5cf7a8917fa2f.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\c61d23cdfcb1361604e5cf7a8917fa2f.exe"C:\Users\Admin\AppData\Local\Temp\c61d23cdfcb1361604e5cf7a8917fa2f.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\c61d23cdfcb1361604e5cf7a8917fa2f.exeC:\Users\Admin\AppData\Local\Temp\c61d23cdfcb1361604e5cf7a8917fa2f.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2500
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
768KB
MD55a51e6dc9523a25c7c4a2eaf39d56def
SHA1664fc02afc10649f2922e621290b3716dc10cdf6
SHA2569261cf5a17a5c57697d05062dfa916947c81fc2fb0738994fe3336cbe32c8898
SHA51291d1e2bfa294ee8bb4886eb3fcc04c5d6e0f0ca6a6c416f1352966018b46e883bb57a38c59019569bb0475c9b915631e8fdb7a26c9dc82d3f30e5ea1d3442ea4
-
Filesize
3.7MB
MD5eb95124b1c0d74557f0978b426ae6dda
SHA1ec6e75a3c60393aa80e0617179f39dd05e44b7a6
SHA256de4bc6f0462cb5aaff0ec277778206035f46b3732f9c03e37c04edfb01b28025
SHA51251daa5547789ae58cd189ab6952d9e1279982b91cb9014ca559016ed738fb24038f120d38c71a11c12139ec447cdda2e401fa6b8362e31cd7eaf55ae9ba89c0d