Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 20:17
Static task
static1
Behavioral task
behavioral1
Sample
241d4e18736f0fa50088af8994fd49fd8fa219e2c650100efd451b8901ecc625.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
241d4e18736f0fa50088af8994fd49fd8fa219e2c650100efd451b8901ecc625.exe
Resource
win10v2004-20240426-en
General
-
Target
241d4e18736f0fa50088af8994fd49fd8fa219e2c650100efd451b8901ecc625.exe
-
Size
61KB
-
MD5
681b02913a2c223642e211448377e679
-
SHA1
267de3e888ac069a6a23b03855ee0979622c1baf
-
SHA256
241d4e18736f0fa50088af8994fd49fd8fa219e2c650100efd451b8901ecc625
-
SHA512
d835c81a47144c2f665a2f9f87fe977a7840cfb05c6311e5ded5472bef050cd40ba7286f34e2bf3ab9cd2c180c74ff86077ad4e8775cba2a05733826c89cad8e
-
SSDEEP
1536:Uttdse4OcUmWQIvEPZo6E5sEFd29NQgA2w6TNle5:sdse4OlQZo6EKEFdGM29le5
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 1920 ewiuer2.exe 1564 ewiuer2.exe 2960 ewiuer2.exe 1244 ewiuer2.exe 2068 ewiuer2.exe -
Loads dropped DLL 10 IoCs
pid Process 2188 241d4e18736f0fa50088af8994fd49fd8fa219e2c650100efd451b8901ecc625.exe 2188 241d4e18736f0fa50088af8994fd49fd8fa219e2c650100efd451b8901ecc625.exe 1920 ewiuer2.exe 1920 ewiuer2.exe 1564 ewiuer2.exe 1564 ewiuer2.exe 2960 ewiuer2.exe 2960 ewiuer2.exe 1244 ewiuer2.exe 1244 ewiuer2.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe File created C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2188 wrote to memory of 1920 2188 241d4e18736f0fa50088af8994fd49fd8fa219e2c650100efd451b8901ecc625.exe 28 PID 2188 wrote to memory of 1920 2188 241d4e18736f0fa50088af8994fd49fd8fa219e2c650100efd451b8901ecc625.exe 28 PID 2188 wrote to memory of 1920 2188 241d4e18736f0fa50088af8994fd49fd8fa219e2c650100efd451b8901ecc625.exe 28 PID 2188 wrote to memory of 1920 2188 241d4e18736f0fa50088af8994fd49fd8fa219e2c650100efd451b8901ecc625.exe 28 PID 1920 wrote to memory of 1564 1920 ewiuer2.exe 32 PID 1920 wrote to memory of 1564 1920 ewiuer2.exe 32 PID 1920 wrote to memory of 1564 1920 ewiuer2.exe 32 PID 1920 wrote to memory of 1564 1920 ewiuer2.exe 32 PID 1564 wrote to memory of 2960 1564 ewiuer2.exe 33 PID 1564 wrote to memory of 2960 1564 ewiuer2.exe 33 PID 1564 wrote to memory of 2960 1564 ewiuer2.exe 33 PID 1564 wrote to memory of 2960 1564 ewiuer2.exe 33 PID 2960 wrote to memory of 1244 2960 ewiuer2.exe 35 PID 2960 wrote to memory of 1244 2960 ewiuer2.exe 35 PID 2960 wrote to memory of 1244 2960 ewiuer2.exe 35 PID 2960 wrote to memory of 1244 2960 ewiuer2.exe 35 PID 1244 wrote to memory of 2068 1244 ewiuer2.exe 36 PID 1244 wrote to memory of 2068 1244 ewiuer2.exe 36 PID 1244 wrote to memory of 2068 1244 ewiuer2.exe 36 PID 1244 wrote to memory of 2068 1244 ewiuer2.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\241d4e18736f0fa50088af8994fd49fd8fa219e2c650100efd451b8901ecc625.exe"C:\Users\Admin\AppData\Local\Temp\241d4e18736f0fa50088af8994fd49fd8fa219e2c650100efd451b8901ecc625.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe6⤵
- Executes dropped EXE
PID:2068
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5f6d0dc27ae925d58d43a6ae11d061fb6
SHA12d8bfddf392de0eba257ee94a52484e65896e6e6
SHA25652f93dd84faa0f6017b2b474157ad6091e378f06b82de084694744d9627dd663
SHA512920093bc001247117db81c9d24d8ea981e228bdf8ab3b23c30d19dfb31c52b76e67d921fb8929858632edff9e7f98fdec542d2dd225b28c62d5f75f1ea0c2205
-
Filesize
61KB
MD588a15f5930f1c6b8c88c946d02018db0
SHA1a337ca2165a090f485cc014fc64536ab7a4291f2
SHA2568afcbf74ca71c1a55215339a2484a23e41fdba10646ac88efce0849375cf3fd3
SHA5121c9bab8021d40e72bccf04d68e7d804f43f844c9a9c6b9b887b06c08a3537a9055a22fa70574cf110e74662afb9b2af2caae06f72c2896952cd99d9f140d360e
-
Filesize
61KB
MD5c38f894c0c6b2b6d134b27064823849e
SHA10c99daad41fdc7d1575375bff7723e6dba170d62
SHA256d6db8b2fc1a956ae4c92d4327b07ea1bbbfac8a20e7679bb96a40445523b151d
SHA512ea19d18353ff68e0cb212b2addc3e3bb0e933ee8d42a80fd019e549834049869f431ecd531a44fcc6544d68ec47a3684a6cfaf27d6568d1bc828ed214280befe
-
Filesize
61KB
MD58dee9c5b609e156708c34967c0eca8d8
SHA1925016d894b787fde92dca4c7e207d338fcb2551
SHA25674836192436f1e0faf2a8ed9324a98286b9df621e24a27ef41b85efbaf4714d2
SHA512feefcc2e0ac50a643cf2ef589729e1fc0c9a2e317a6dea277b3f7099177f8e33c34eb4c965940504adc989c99b72d40b610c53aa23034c174c02ba6576e02468
-
Filesize
61KB
MD5bd83ec2e72a31612304852d3e095f7a3
SHA1db12b2dc378c75264a3e13fcc52a38c4200c7638
SHA256bc502b74def624a72e3c3eb04c31959585f71e588bd0c3a4118af8252f227cb4
SHA512f08c76107927f7fd29e43c1a6f7a2d08e18eb497d1b3a3afe89691c198b6bf9d614e44915075e44dabccbd5da08443d7470ea1d8c953a2d88845deef88b05221