Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 17:25
Behavioral task
behavioral1
Sample
loader.exe
Resource
win7-20240903-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
loader.exe
Resource
win10v2004-20240802-en
3 signatures
150 seconds
General
-
Target
loader.exe
-
Size
11.6MB
-
MD5
3fb6f7382cd42db4ae7e5d2dceabde54
-
SHA1
9113821a3227d7c417835c8d437540d7dc25478f
-
SHA256
f2bce8af8313bd95710966e90e3c5de80728dda7e9b97a26b2e1396e797aef06
-
SHA512
1e4686f9f02def2147deb748cffb04af01530bbb010e86eeaf79b182538bb4d1a1ce5df28084166138eddda789e788e4f7080b12375f7e390317b31e0429b6a0
-
SSDEEP
196608:6mu6lFEZs7cq3YvPIrublgpFV16dXL9ygAfWTwTkZDh0SySu42QcGlV:6t6lOZs7Y3yWgpFX6dh1AfNTkZDmXIh
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2380-11-0x000000013F820000-0x0000000140E43000-memory.dmp vmprotect behavioral1/memory/2380-15-0x000000013F820000-0x0000000140E43000-memory.dmp vmprotect behavioral1/memory/2380-16-0x000000013F820000-0x0000000140E43000-memory.dmp vmprotect behavioral1/memory/2380-17-0x000000013F820000-0x0000000140E43000-memory.dmp vmprotect -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 api.ipify.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2380 loader.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2380 loader.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2812 2380 loader.exe 32 PID 2380 wrote to memory of 2812 2380 loader.exe 32 PID 2380 wrote to memory of 2812 2380 loader.exe 32 PID 2812 wrote to memory of 2828 2812 cmd.exe 33 PID 2812 wrote to memory of 2828 2812 cmd.exe 33 PID 2812 wrote to memory of 2828 2812 cmd.exe 33 PID 2812 wrote to memory of 2864 2812 cmd.exe 34 PID 2812 wrote to memory of 2864 2812 cmd.exe 34 PID 2812 wrote to memory of 2864 2812 cmd.exe 34 PID 2812 wrote to memory of 2860 2812 cmd.exe 35 PID 2812 wrote to memory of 2860 2812 cmd.exe 35 PID 2812 wrote to memory of 2860 2812 cmd.exe 35 PID 2380 wrote to memory of 2512 2380 loader.exe 36 PID 2380 wrote to memory of 2512 2380 loader.exe 36 PID 2380 wrote to memory of 2512 2380 loader.exe 36 PID 2380 wrote to memory of 2880 2380 loader.exe 37 PID 2380 wrote to memory of 2880 2380 loader.exe 37 PID 2380 wrote to memory of 2880 2380 loader.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\loader.exe" MD53⤵PID:2828
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:2864
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:2860
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2380 -s 5322⤵PID:2512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color B2⤵PID:2880
-