Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18/03/2024, 21:06
Behavioral task
behavioral1
Sample
d4878bf517b84e49c3377adb1ad8038d.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
d4878bf517b84e49c3377adb1ad8038d.exe
Resource
win10v2004-20240226-en
General
-
Target
d4878bf517b84e49c3377adb1ad8038d.exe
-
Size
2.9MB
-
MD5
d4878bf517b84e49c3377adb1ad8038d
-
SHA1
4c4164f543d64416962598f4ce0e3289dfd4b36e
-
SHA256
230e5141831452d7f1c26a2640ab4018dd8b3078719d75c7729b0c08b2b29a4f
-
SHA512
1c50f6f2571c33d86bf052dba01607e98fb34549241c8aea421c1a00790058a274d989b5dda3d528f4ebf7881de6070f8450173525ac0f8df76d7475f5a6878a
-
SSDEEP
49152:nmh2LMvCzI4FieFUSfJxt7N74NH5HUyNRcUsCVOzetdZJ:nmoLMviI4iCUkt4HBUCczzM3
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2204 d4878bf517b84e49c3377adb1ad8038d.exe -
Executes dropped EXE 1 IoCs
pid Process 2204 d4878bf517b84e49c3377adb1ad8038d.exe -
Loads dropped DLL 1 IoCs
pid Process 2820 d4878bf517b84e49c3377adb1ad8038d.exe -
resource yara_rule behavioral1/memory/2820-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000a000000013a21-12.dat upx behavioral1/files/0x000a000000013a21-10.dat upx behavioral1/files/0x000a000000013a21-15.dat upx behavioral1/memory/2204-17-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2820 d4878bf517b84e49c3377adb1ad8038d.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2820 d4878bf517b84e49c3377adb1ad8038d.exe 2204 d4878bf517b84e49c3377adb1ad8038d.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2204 2820 d4878bf517b84e49c3377adb1ad8038d.exe 28 PID 2820 wrote to memory of 2204 2820 d4878bf517b84e49c3377adb1ad8038d.exe 28 PID 2820 wrote to memory of 2204 2820 d4878bf517b84e49c3377adb1ad8038d.exe 28 PID 2820 wrote to memory of 2204 2820 d4878bf517b84e49c3377adb1ad8038d.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe"C:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exeC:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2204
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD59a836599cece6bfb3fc88a87f9de1dcd
SHA145a1b3d2b9433c8a3d9f4b684469ca797e4eee1f
SHA256a4d3b464204f207909df15654039147b09b42bbb9d1b17f1a97ca255eb76bc65
SHA512d96e93f75d1423f5de872ac61592487c92c38ea78c80472140dd67fa5c1aa3b3a0bf55f96c3513364c7f3a404c2ef6e7b37942445aab19557c60b42e2bcce779
-
Filesize
2.4MB
MD5ee13ce8486934ae1a9c9e88aab46aa8d
SHA19d270abd2ec918e1d6b809d4b3d849ff184af4ea
SHA25630d0396f7e04ae7bc24b5273cf3ec5d91ef311a905be2e436788e6c9d1316655
SHA512565e9870b6627841d0553b74669c9de33ae5a38e391b70a0fc4752194114c0d8deaa7cc9f03a68089bbb1568d95e17c7a1ffa5562e2dfa60c2283c419eb09801
-
Filesize
2.2MB
MD57a10428eade567a2a006d415a510bc0e
SHA14b181d5c7a7a429e55cb0a9b7e53246b4855e8c3
SHA256562473815d7fade38401dabed42850a3ae7c71cda905879c3a6b3b900a42b3f9
SHA51278df287caea4844be6f54c314ec3a1fcbcd0cc484058a67a3765b6776aa21c50f75a4c70040d6d2266d34ca1c1e6a48bc8511d1e5360e4dd8c262f8bfeca9246