Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 00:02
Behavioral task
behavioral1
Sample
a58fd625bf63b8a73ef378fe80f7570a26926089df7196dc4254011aaf3b4ed5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a58fd625bf63b8a73ef378fe80f7570a26926089df7196dc4254011aaf3b4ed5.exe
Resource
win10v2004-20231215-en
General
-
Target
a58fd625bf63b8a73ef378fe80f7570a26926089df7196dc4254011aaf3b4ed5.exe
-
Size
449KB
-
MD5
74fe65d5e23e006e59e09de6e3c92e15
-
SHA1
571424032ebbd55453af2a725357183ef94a23d4
-
SHA256
a58fd625bf63b8a73ef378fe80f7570a26926089df7196dc4254011aaf3b4ed5
-
SHA512
6f13e6e6cc9026b014aabb1ec1e06b756adabe7b8a9fc267a99c1ef234a1a0fd2b3ba5d9f673addd9a2932601200c79157bfe6d995b2cd35f13b7115ae3f1055
-
SSDEEP
12288:NJu6lfyi4fabr9jy4BNKOSuDVh+vh4tH1jo3rqsh2T:N8XfyhLNKQVhKutH1jo3Phu
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 3 IoCs
resource yara_rule behavioral1/memory/2228-0-0x0000000000400000-0x000000000045F000-memory.dmp UPX behavioral1/files/0x000c0000000136fc-5.dat UPX behavioral1/memory/3000-7-0x0000000000400000-0x000000000045F000-memory.dmp UPX -
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 3000 dbilzqh.exe -
resource yara_rule behavioral1/memory/2228-0-0x0000000000400000-0x000000000045F000-memory.dmp upx behavioral1/files/0x000c0000000136fc-5.dat upx behavioral1/memory/3000-7-0x0000000000400000-0x000000000045F000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\dbilzqh.exe a58fd625bf63b8a73ef378fe80f7570a26926089df7196dc4254011aaf3b4ed5.exe File created C:\PROGRA~3\Mozilla\zxoabnc.dll dbilzqh.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2228 a58fd625bf63b8a73ef378fe80f7570a26926089df7196dc4254011aaf3b4ed5.exe 3000 dbilzqh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2736 wrote to memory of 3000 2736 taskeng.exe 29 PID 2736 wrote to memory of 3000 2736 taskeng.exe 29 PID 2736 wrote to memory of 3000 2736 taskeng.exe 29 PID 2736 wrote to memory of 3000 2736 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a58fd625bf63b8a73ef378fe80f7570a26926089df7196dc4254011aaf3b4ed5.exe"C:\Users\Admin\AppData\Local\Temp\a58fd625bf63b8a73ef378fe80f7570a26926089df7196dc4254011aaf3b4ed5.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2228
-
C:\Windows\system32\taskeng.exetaskeng.exe {4C2F6653-F00B-438D-BADF-4376140E064E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\PROGRA~3\Mozilla\dbilzqh.exeC:\PROGRA~3\Mozilla\dbilzqh.exe -kwinamg2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:3000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
449KB
MD53de42d2c27e8afdc9ad904efdb8f1e1a
SHA108a975e9c4b5eafee5de4b467951c4d2512029a2
SHA2566281858ed0d197650b5a5f18d1adc24ad384b96bf2cdeb0b6a5762a99f36ee5e
SHA5127ddd724e405d72987b5cfb16485d20059dbd6d641cd93d81518b3f4fd2475e4935a37e807d1458e1c61b65f2cac011ce20bc287453b334bbe9a824b531680025