Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 17:08
Behavioral task
behavioral1
Sample
01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe
Resource
win7-20240221-en
General
-
Target
01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe
-
Size
420KB
-
MD5
3477f317276bf2d4ed1a92ece69b7c18
-
SHA1
87baec845ee28b294a49dc3368de06c1a63f524f
-
SHA256
01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5
-
SHA512
cb5111df85eec1cd0fee5c77ebc5a09cecff07bcef19c22ae0d5abf918b8a835e68fa9faaee5a0e8c93bc38c027ac660d84b37e78a76490630e9ea0474c866cb
-
SSDEEP
6144:UzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODGY:uU7M5ijWh0XOW4sEfeOn
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
resource yara_rule behavioral1/files/0x0004000000004ed7-26.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 1956 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1212 cisyz.exe 1640 gyrol.exe -
Loads dropped DLL 3 IoCs
pid Process 1724 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe 1724 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe 1212 cisyz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe 1640 gyrol.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1724 wrote to memory of 1212 1724 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe 28 PID 1724 wrote to memory of 1212 1724 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe 28 PID 1724 wrote to memory of 1212 1724 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe 28 PID 1724 wrote to memory of 1212 1724 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe 28 PID 1724 wrote to memory of 1956 1724 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe 29 PID 1724 wrote to memory of 1956 1724 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe 29 PID 1724 wrote to memory of 1956 1724 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe 29 PID 1724 wrote to memory of 1956 1724 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe 29 PID 1212 wrote to memory of 1640 1212 cisyz.exe 33 PID 1212 wrote to memory of 1640 1212 cisyz.exe 33 PID 1212 wrote to memory of 1640 1212 cisyz.exe 33 PID 1212 wrote to memory of 1640 1212 cisyz.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe"C:\Users\Admin\AppData\Local\Temp\01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\cisyz.exe"C:\Users\Admin\AppData\Local\Temp\cisyz.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\gyrol.exe"C:\Users\Admin\AppData\Local\Temp\gyrol.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1640
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:1956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD586c780808e3c6d7581e2acdb8b80cee4
SHA1696e0054037417e2e149dceb1c5d5f162bcde5aa
SHA256fed1d2ceccbc04813bd3c04ca974b9f9452697e3fd5b09e8500a917430318d89
SHA5126faf7d56ef2e9b10119e9f4c64d53e001ea6346f925badb3b4d8b993579e828a6b006bd576af486a3f3d9efb1da5eb61903d83900a63a76d201ca087d51c788e
-
Filesize
512B
MD5f8f82dd5433fc21d1d74982e045d46fa
SHA115e99e7017cd52fdcb6685845617d1654ee7f34a
SHA2569f4ab79474754b0c3917940eb76052c52e0b62772b45cfdb7d9924fd80ea78f5
SHA5122caac6ac9dafdffb9e9c7c675bba7cfb016de50d4441b2dd623449c14f5f2669996bb31977464236c9cbf0c418e248730b9923ffc1c4d53a3dfd411ee01953ab
-
Filesize
420KB
MD5ab5df41a26911bfc1881b91b9b036a70
SHA19474176271e7dbb6b83a39d86fa2c2434074e49e
SHA256b54c60bf057b11c5b45dc64993eab191b15e4f9a0a4e64353b29ca1f8c2deb3a
SHA5126fe66234d214b4cd9ab50a10d25fa743242d62e48af30ddaac8de355973f22ca0a97475a1ef7e2a0322c15477417b45c8478e9108b7855f8f97ac5cdc79cc46e
-
Filesize
212KB
MD55e83e1ea74bbdf4b7c348fa38c04ecac
SHA18a3a413a72cc55759702764ed34b348878538aff
SHA2563c905d9abe0305da5ed4dd21d9187e76b9c313a457f69b1fe30f9889852aff7f
SHA512a9f643ee293c047af9a3010c8783725d605c54d59b96c0ec3d0af8da35c5ff033b01646b3709a35c7917f309e8ab2ad0a548c7c661661df110537922a2b97b7e