Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
18/04/2024, 18:50
Static task
static1
Behavioral task
behavioral1
Sample
Isisvideo.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Isisvideo.exe
Resource
win10v2004-20240412-en
General
-
Target
Isisvideo.exe
-
Size
55KB
-
MD5
e75eef82eba9fb4946d6e9d42abd4fe5
-
SHA1
e1bc20e9648028ceca5a5f27549ac0c13aeb23f4
-
SHA256
edbf9376617abec8a3f8ca5726171917c6c690ca9471f38421cfcaab2e79a467
-
SHA512
0869606a04aac1a46572e1366855cbb711e1bd92950dfb9924fc1cfb17188529e6bf542e9213d20373f86c0628f587efd9891ba8125a6992b61833c189fa5469
-
SSDEEP
1536:x1qTXQOp6mG/Lqa823grKUfMQ7UnPQ1Bx:ozp6mOZ8ZhfNUnPQx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1428 pokemon.exe -
Loads dropped DLL 2 IoCs
pid Process 2752 CMD.exe 2752 CMD.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2672 ipconfig.exe 2676 ipconfig.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1804 wrote to memory of 2156 1804 Isisvideo.exe 28 PID 1804 wrote to memory of 2156 1804 Isisvideo.exe 28 PID 1804 wrote to memory of 2156 1804 Isisvideo.exe 28 PID 1804 wrote to memory of 2156 1804 Isisvideo.exe 28 PID 1804 wrote to memory of 2752 1804 Isisvideo.exe 30 PID 1804 wrote to memory of 2752 1804 Isisvideo.exe 30 PID 1804 wrote to memory of 2752 1804 Isisvideo.exe 30 PID 1804 wrote to memory of 2752 1804 Isisvideo.exe 30 PID 2752 wrote to memory of 1428 2752 CMD.exe 32 PID 2752 wrote to memory of 1428 2752 CMD.exe 32 PID 2752 wrote to memory of 1428 2752 CMD.exe 32 PID 2752 wrote to memory of 1428 2752 CMD.exe 32 PID 1428 wrote to memory of 2672 1428 pokemon.exe 33 PID 1428 wrote to memory of 2672 1428 pokemon.exe 33 PID 1428 wrote to memory of 2672 1428 pokemon.exe 33 PID 1428 wrote to memory of 2672 1428 pokemon.exe 33 PID 1428 wrote to memory of 2676 1428 pokemon.exe 34 PID 1428 wrote to memory of 2676 1428 pokemon.exe 34 PID 1428 wrote to memory of 2676 1428 pokemon.exe 34 PID 1428 wrote to memory of 2676 1428 pokemon.exe 34 PID 1428 wrote to memory of 2684 1428 pokemon.exe 37 PID 1428 wrote to memory of 2684 1428 pokemon.exe 37 PID 1428 wrote to memory of 2684 1428 pokemon.exe 37 PID 1428 wrote to memory of 2684 1428 pokemon.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\Isisvideo.exe"C:\Users\Admin\AppData\Local\Temp\Isisvideo.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\CMD.exeCMD /C Copy C:\Users\Admin\AppData\Local\Temp\ISISVI~1.EXE C:\Users\Admin\AppData\Local\Temp\pokemon.exe2⤵PID:2156
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C Start C:\Users\Admin\AppData\Local\Temp\pokemon.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\pokemon.exeC:\Users\Admin\AppData\Local\Temp\pokemon.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns4⤵
- Gathers network information
PID:2672
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew4⤵
- Gathers network information
PID:2676
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C Start C:\Users\Admin\AppData\Local\{NRAI8~1\efcokq2t.exe4⤵PID:2684
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD5e75eef82eba9fb4946d6e9d42abd4fe5
SHA1e1bc20e9648028ceca5a5f27549ac0c13aeb23f4
SHA256edbf9376617abec8a3f8ca5726171917c6c690ca9471f38421cfcaab2e79a467
SHA5120869606a04aac1a46572e1366855cbb711e1bd92950dfb9924fc1cfb17188529e6bf542e9213d20373f86c0628f587efd9891ba8125a6992b61833c189fa5469