Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 09:56
Behavioral task
behavioral1
Sample
dee17e6ac122e857bf727ea820dc115a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dee17e6ac122e857bf727ea820dc115a.exe
Resource
win10v2004-20240226-en
General
-
Target
dee17e6ac122e857bf727ea820dc115a.exe
-
Size
1.3MB
-
MD5
dee17e6ac122e857bf727ea820dc115a
-
SHA1
7ecbe947a154823796f3329215df5e25813898a3
-
SHA256
30f4f39a0cfa3773c60f345606b22775fef4e1e2b580aab6fd96ff437c2ec05b
-
SHA512
44a98b0f3e77703beeaaaa5254d103dcff9b979fd27d3988b807567a7bc3e61ce84aee0305bbf3a574639c56804d5556bef81a667ba275a8909cd29b658fb610
-
SSDEEP
24576:ZQ4W91KZ8WdBJZPW4jReGP1zGeQZONCl1bwHskyS5juTrc6PIEKvG:QGZ8EBPPLlek1JU8CyuTrc6PI
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1720 dee17e6ac122e857bf727ea820dc115a.exe -
Executes dropped EXE 1 IoCs
pid Process 1720 dee17e6ac122e857bf727ea820dc115a.exe -
Loads dropped DLL 1 IoCs
pid Process 2672 dee17e6ac122e857bf727ea820dc115a.exe -
resource yara_rule behavioral1/memory/2672-0-0x0000000000400000-0x000000000086A000-memory.dmp upx behavioral1/files/0x0009000000012245-11.dat upx behavioral1/files/0x0009000000012245-14.dat upx behavioral1/memory/1720-16-0x0000000000400000-0x000000000086A000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2672 dee17e6ac122e857bf727ea820dc115a.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2672 dee17e6ac122e857bf727ea820dc115a.exe 1720 dee17e6ac122e857bf727ea820dc115a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2672 wrote to memory of 1720 2672 dee17e6ac122e857bf727ea820dc115a.exe 28 PID 2672 wrote to memory of 1720 2672 dee17e6ac122e857bf727ea820dc115a.exe 28 PID 2672 wrote to memory of 1720 2672 dee17e6ac122e857bf727ea820dc115a.exe 28 PID 2672 wrote to memory of 1720 2672 dee17e6ac122e857bf727ea820dc115a.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\dee17e6ac122e857bf727ea820dc115a.exe"C:\Users\Admin\AppData\Local\Temp\dee17e6ac122e857bf727ea820dc115a.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\dee17e6ac122e857bf727ea820dc115a.exeC:\Users\Admin\AppData\Local\Temp\dee17e6ac122e857bf727ea820dc115a.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1720
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD51db9bac8f8632ea90d8a42882ffbb8e2
SHA17f57e204dc1a93a0cc5360ea2175ce5fec062aa5
SHA256947c871b1daf874bbb109cdf318f4181b99b22b21b50e64a9b8f6fa007f7d2ee
SHA5123d67f5a0b6884cb78adde513f0d1d777e2bd77c6fb44fde5457d0c957f77dd4125a864ec7d00229e5643a45e48a37669c577117db457d80bfa13dff9764e0c3d
-
Filesize
960KB
MD56025ff903a7e1f9e58dd92a6af4ac170
SHA1cb04102e2f27f9adaf24f023174744ab9497a398
SHA256d72ab7a45dae1b38e2273d5205882391177aac7df8b55564460615fc06e0122e
SHA5120c83d5472d9b899e867d6b9e55b951ca41b9cca24f1401ab00f102ea6724b77669c6928ee1ca5a9df059d0ffb890fd33f6146540daebbb1230208710a12aa8e4