Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
19s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
09/06/2021, 16:49
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20210410
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v20210408
0 signatures
0 seconds
General
-
Target
sample.exe
-
Size
41KB
-
MD5
b580c140a245f68291f7d4159272beeb
-
SHA1
96d61bb4105f2a331bb3d7b733d77666286e8954
-
SHA256
291dd93ff5ffd7c8c108767855b77b3a1fbae2755cc650b884f42e1903884041
-
SHA512
5241380c3613e11de37c2125de09b80933b4bd2e8a1def667fd035bea3f0a7c5e5d7707d940fea8d7e4aab1030fac0c03318e84717ba2feccfad7f01b0b1e676
Score
10/10
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
mail.cock.li - Port:
587 - Username:
[email protected] - Password:
jesuscrypt
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 3692 created 624 3692 WerFault.exe 67 -
Program crash 2 IoCs
pid pid_target Process procid_target 1796 624 WerFault.exe 67 3692 624 WerFault.exe 67 -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 1796 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 624 sample.exe Token: SeRestorePrivilege 1796 WerFault.exe Token: SeBackupPrivilege 1796 WerFault.exe Token: SeDebugPrivilege 1796 WerFault.exe Token: SeDebugPrivilege 3692 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:624 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 17242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 17402⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692
-