Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
022e3c30a1...66.exe
windows11_x64
10022e3c30a1...66.exe
windows10_x64
1022e3c30a1...66.exe
windows10_x64
104d27dca0a1...ef.exe
windows11_x64
104d27dca0a1...ef.exe
windows10_x64
104d27dca0a1...ef.exe
windows10_x64
10578a3a7a2b...b3.exe
windows11_x64
10578a3a7a2b...b3.exe
windows10_x64
10578a3a7a2b...b3.exe
windows10_x64
109c4880a98c...82.exe
windows11_x64
109c4880a98c...82.exe
windows10_x64
109c4880a98c...82.exe
windows10_x64
10a1dad4a83d...c4.exe
windows11_x64
10a1dad4a83d...c4.exe
windows10_x64
10a1dad4a83d...c4.exe
windows10_x64
10acf1b7d80f...e0.exe
windows11_x64
10acf1b7d80f...e0.exe
windows10_x64
10acf1b7d80f...e0.exe
windows10_x64
10cbf31d825a...d2.exe
windows11_x64
10cbf31d825a...d2.exe
windows10_x64
10cbf31d825a...d2.exe
windows10_x64
10db76a117db...12.exe
windows11_x64
10db76a117db...12.exe
windows10_x64
10db76a117db...12.exe
windows10_x64
10e2ffb8aeeb...f6.exe
windows11_x64
10e2ffb8aeeb...f6.exe
windows10_x64
10e2ffb8aeeb...f6.exe
windows10_x64
10f2196668f4...cb.exe
windows11_x64
10f2196668f4...cb.exe
windows10_x64
10f2196668f4...cb.exe
windows10_x64
10Resubmissions
10/11/2021, 14:50
211110-r7nbvaeddr 1008/11/2021, 16:12
211108-tnmmbahgaj 1008/11/2021, 15:26
211108-svdsbaccf6 1008/11/2021, 14:48
211108-r6lfvshdfn 10Analysis
-
max time kernel
216s -
max time network
1724s -
platform
windows11_x64 -
resource
win11 -
submitted
08/11/2021, 16:12
Static task
static1
Behavioral task
behavioral1
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win11
Behavioral task
behavioral2
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win10-en-20211014
Behavioral task
behavioral3
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win10-de-20211014
Behavioral task
behavioral4
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win11
Behavioral task
behavioral5
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win10-en-20211014
Behavioral task
behavioral6
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win10-de-20211014
Behavioral task
behavioral7
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win11
Behavioral task
behavioral8
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win10-de-20211014
Behavioral task
behavioral10
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win11
Behavioral task
behavioral11
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win10-en-20211104
Behavioral task
behavioral12
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win10-de-20211014
Behavioral task
behavioral13
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win11
Behavioral task
behavioral14
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win10-en-20211014
Behavioral task
behavioral15
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win10-de-20211104
Behavioral task
behavioral16
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win11
Behavioral task
behavioral17
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win10-en-20211014
Behavioral task
behavioral18
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win10-de-20211104
Behavioral task
behavioral19
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win11
Behavioral task
behavioral20
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win10-en-20211104
Behavioral task
behavioral21
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win10-de-20211104
Behavioral task
behavioral22
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win11
Behavioral task
behavioral23
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win10-en-20211104
Behavioral task
behavioral24
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win10-de-20211104
Behavioral task
behavioral25
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win11
Behavioral task
behavioral26
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win10-en-20211104
Behavioral task
behavioral27
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win10-de-20211104
Behavioral task
behavioral28
Sample
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Resource
win11
Behavioral task
behavioral29
Sample
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Resource
win10-en-20211104
Behavioral task
behavioral30
Sample
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Resource
win10-de-20211104
General
-
Target
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 3388 created 2904 3388 WerFault.exe 80 -
Loads dropped DLL 1 IoCs
pid Process 2904 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4036 2904 WerFault.exe 80 -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4036 WerFault.exe 4036 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 4036 WerFault.exe Token: SeBackupPrivilege 4036 WerFault.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3924 wrote to memory of 2904 3924 e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe 80 PID 3924 wrote to memory of 2904 3924 e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe 80 PID 3924 wrote to memory of 2904 3924 e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe 80 PID 3388 wrote to memory of 2904 3388 WerFault.exe 80 PID 3388 wrote to memory of 2904 3388 WerFault.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe"C:\Users\Admin\AppData\Local\Temp\e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" sqlite.dll,global2⤵
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2904 -ip 29041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3388