Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
15s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11/07/2024, 14:11
Static task
static1
Behavioral task
behavioral1
Sample
4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe
Resource
win7-20240704-en
General
-
Target
4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe
-
Size
281KB
-
MD5
4a9d8f2b67d2c90900e0a47940f88d5f
-
SHA1
9dc989d14bb2625d01b14c55563ef0f41f861e92
-
SHA256
4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9
-
SHA512
c122bb3e3f36172bdb633f6121d9e53f209463ac972620ecb8b6d09b2438e4f2b37effbb0f210ca5bdc9f2ca5752a3af3515fb4c70901934a2466f1f08087b67
-
SSDEEP
3072:vHrfzYPc6ElLW4l/DReos0gXf+EvC6C36eCWdMuoB+UKrRiEOB9dXCQT1X/MK0dA:jnl/DRfkTC3dM7B+mCGQcAExQ6h1tWm
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
resource yara_rule behavioral1/files/0x000c000000015635-1.dat floxif -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000c000000015635-1.dat acprotect -
Loads dropped DLL 1 IoCs
pid Process 2556 4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe -
resource yara_rule behavioral1/files/0x000c000000015635-1.dat upx behavioral1/memory/2556-3-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2556-6-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\System\symsrv.dll 4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2904 2556 WerFault.exe 28 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2556 4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2904 2556 4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe 29 PID 2556 wrote to memory of 2904 2556 4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe 29 PID 2556 wrote to memory of 2904 2556 4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe 29 PID 2556 wrote to memory of 2904 2556 4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe"C:\Users\Admin\AppData\Local\Temp\4eaa595a99e8b87614a97345e16854d2c31efc59b1b186b10ca50b492685d1a9.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 2042⤵
- Program crash
PID:2904
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5ccf7e487353602c57e2e743d047aca36
SHA199f66919152d67a882685a41b7130af5f7703888
SHA256eaf76e5f1a438478ecf7b678744da34e9d9e5038b128f0c595672ee1dbbfd914
SHA512dde0366658082b142faa6487245bfc8b8942605f0ede65d12f8c368ff3673ca18e416a4bf132c4bee5be43e94aef0531be2008746c24f1e6b2f294a63ab1486c