Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 20:08
Behavioral task
behavioral1
Sample
a394976a8dcdb01019d556aed95fe5ca.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a394976a8dcdb01019d556aed95fe5ca.exe
Resource
win10v2004-20240226-en
General
-
Target
a394976a8dcdb01019d556aed95fe5ca.exe
-
Size
603KB
-
MD5
a394976a8dcdb01019d556aed95fe5ca
-
SHA1
7cf13af7910412080b89bab611408b2b49a41651
-
SHA256
277f0998bc35483b53c869e5258afb710163f924e24a777e755be9ce5f68fe29
-
SHA512
86cd20c7454ee8d0644a2f653e24eb0f4572b88cd0fcdffb63cf5ccea7a84d34d4d2ef8f55b860e71d04b33f142fcedfccb9a82f4e53619bcf62de09c92b469a
-
SSDEEP
12288:pBAsu/1OsCzbT7YebtN2rMFpouF0/DD0:uMzEgNPFpoz/0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2600 customizing.exe -
Loads dropped DLL 2 IoCs
pid Process 2140 a394976a8dcdb01019d556aed95fe5ca.exe 2140 a394976a8dcdb01019d556aed95fe5ca.exe -
resource yara_rule behavioral1/memory/2140-0-0x0000000000400000-0x0000000000581000-memory.dmp upx behavioral1/files/0x0009000000012272-2.dat upx behavioral1/memory/2600-10-0x0000000000400000-0x0000000000581000-memory.dmp upx behavioral1/memory/2140-11-0x0000000000400000-0x0000000000581000-memory.dmp upx behavioral1/memory/2600-12-0x0000000000400000-0x0000000000581000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\callback\customizing.exe a394976a8dcdb01019d556aed95fe5ca.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2140 a394976a8dcdb01019d556aed95fe5ca.exe 2140 a394976a8dcdb01019d556aed95fe5ca.exe 2140 a394976a8dcdb01019d556aed95fe5ca.exe 2140 a394976a8dcdb01019d556aed95fe5ca.exe 2600 customizing.exe 2600 customizing.exe 2600 customizing.exe 2600 customizing.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2600 2140 a394976a8dcdb01019d556aed95fe5ca.exe 28 PID 2140 wrote to memory of 2600 2140 a394976a8dcdb01019d556aed95fe5ca.exe 28 PID 2140 wrote to memory of 2600 2140 a394976a8dcdb01019d556aed95fe5ca.exe 28 PID 2140 wrote to memory of 2600 2140 a394976a8dcdb01019d556aed95fe5ca.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\a394976a8dcdb01019d556aed95fe5ca.exe"C:\Users\Admin\AppData\Local\Temp\a394976a8dcdb01019d556aed95fe5ca.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Program Files\callback\customizing.exe"C:\Program Files\callback\customizing.exe" "33201"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2600
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
603KB
MD516c535fe8ef4ff5a02cd5a6a58a7b119
SHA1ece5fa9082825e6eb3dc13659b5d2ba93457db53
SHA25645c8bf868d7d07a53958823b93dcd016a533c0ebd4a0a39b5c06cd86b2300373
SHA512ca5c52499236c6d0bd2982a5d9e8197589db8b6dd090230dc3c55b2e13dc4997a3e9acc8fbc979dbef9ec852d2d270007e3dab55e4f17fb713c74d587a2b7ceb