Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
128s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
18/07/2021, 18:52
Static task
static1
Behavioral task
behavioral1
Sample
47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe
Resource
win7v20210408
0 signatures
0 seconds
General
-
Target
47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe
-
Size
408KB
-
MD5
8b7f63f120e527135f9bb9a3d7621120
-
SHA1
70c4b402faade6530f0f0e3a8ccc452f1c2773e7
-
SHA256
47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4
-
SHA512
67f4f0612aac3c7a57f39918ef260496d2e695f5cc3217d4d48661c23c9d2f6a8834c2c7cd965f1564b19eb9a12185a2ce50745d26913cd6ffcd94632410170b
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 580 created 740 580 WerFault.exe 67 -
DarkVNC Payload 3 IoCs
resource yara_rule behavioral2/memory/740-115-0x0000000002600000-0x0000000002688000-memory.dmp darkvnc behavioral2/memory/740-116-0x0000000000400000-0x00000000008D0000-memory.dmp darkvnc behavioral2/memory/3184-119-0x000002068A450000-0x000002068A749000-memory.dmp darkvnc -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 740 set thread context of 3184 740 47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe 75 -
Program crash 1 IoCs
pid pid_target Process procid_target 580 740 WerFault.exe 67 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 740 47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 580 WerFault.exe Token: SeBackupPrivilege 580 WerFault.exe Token: SeDebugPrivilege 580 WerFault.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 740 wrote to memory of 3184 740 47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe 75 PID 740 wrote to memory of 3184 740 47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe 75 PID 740 wrote to memory of 3184 740 47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe 75 PID 740 wrote to memory of 3184 740 47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe 75 PID 740 wrote to memory of 3184 740 47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe"C:\Users\Admin\AppData\Local\Temp\47b95432a7ec3c68256b6948f59130459d15230e6e91d77f0baa2e55cb9642f4.bin.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe2⤵PID:3184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 4962⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580
-