Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
27/03/2024, 08:52
Behavioral task
behavioral1
Sample
e14552ab2611f0bb677a15cb673ea7d5.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
e14552ab2611f0bb677a15cb673ea7d5.exe
Resource
win10v2004-20240226-en
General
-
Target
e14552ab2611f0bb677a15cb673ea7d5.exe
-
Size
497KB
-
MD5
e14552ab2611f0bb677a15cb673ea7d5
-
SHA1
7d1157a982601536c840c88c7776f495435bd9cd
-
SHA256
146a13ff0619dc191a88422c0393601eaa51596b020e9c4244b9c4f2f1020297
-
SHA512
9f413cdb38b9f21e9b0a2f8115d2285e25641f6ffd40358b96ddad1039a4845722220436463c8566d119cce5cf2f86c2569cdb52b5067e84117f42f44676315d
-
SSDEEP
6144:jk5M5FaYJsX6GH8JadDFIMNQhUGVDAT4l+m/60+B:o92iH8JldDAT4lh/cB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2984 Vmeloa.exe -
resource yara_rule behavioral1/memory/1028-0-0x0000000000400000-0x000000000047E000-memory.dmp upx behavioral1/files/0x00070000000142a5-10.dat upx behavioral1/memory/2984-12-0x0000000000400000-0x000000000047E000-memory.dmp upx -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job e14552ab2611f0bb677a15cb673ea7d5.exe File created C:\Windows\Vmeloa.exe e14552ab2611f0bb677a15cb673ea7d5.exe File opened for modification C:\Windows\Vmeloa.exe e14552ab2611f0bb677a15cb673ea7d5.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Vmeloa.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Vmeloa.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job e14552ab2611f0bb677a15cb673ea7d5.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main Vmeloa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe 2984 Vmeloa.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1028 e14552ab2611f0bb677a15cb673ea7d5.exe 2984 Vmeloa.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1028 wrote to memory of 2984 1028 e14552ab2611f0bb677a15cb673ea7d5.exe 28 PID 1028 wrote to memory of 2984 1028 e14552ab2611f0bb677a15cb673ea7d5.exe 28 PID 1028 wrote to memory of 2984 1028 e14552ab2611f0bb677a15cb673ea7d5.exe 28 PID 1028 wrote to memory of 2984 1028 e14552ab2611f0bb677a15cb673ea7d5.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\e14552ab2611f0bb677a15cb673ea7d5.exe"C:\Users\Admin\AppData\Local\Temp\e14552ab2611f0bb677a15cb673ea7d5.exe"1⤵
- Drops file in Windows directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\Vmeloa.exeC:\Windows\Vmeloa.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD5be4bed87f2243f9427bcfea419691ed4
SHA154ceae5f0728aec42966318870187a877536226f
SHA256ab25795d60c5dbec27487f1887921141175a9c84013da982a172a66e60c6302f
SHA512ac714cb43f086e70f9871c84032c811a026a3053d60deb67f0c7787793d1e1ec893ed02c514714c4fee3c7d432ac0ad890136675b6743faa59a1dde05a11e243
-
Filesize
497KB
MD5e14552ab2611f0bb677a15cb673ea7d5
SHA17d1157a982601536c840c88c7776f495435bd9cd
SHA256146a13ff0619dc191a88422c0393601eaa51596b020e9c4244b9c4f2f1020297
SHA5129f413cdb38b9f21e9b0a2f8115d2285e25641f6ffd40358b96ddad1039a4845722220436463c8566d119cce5cf2f86c2569cdb52b5067e84117f42f44676315d