Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
113s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
01/03/2022, 07:35
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20220223-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-en-20220113
0 signatures
0 seconds
General
-
Target
sample.exe
-
Size
141KB
-
MD5
1c2af6c5e1b8b87189b5da7bd3cefe30
-
SHA1
6881acb4f1401f0db02bbebe82e2381a0b7c447d
-
SHA256
cf0705a3e4f3690e28184eb019a4940e7291ce5b3d52747ff80b72e90922a89b
-
SHA512
1f391111cbeb12f892c272076111a8317b98c9eda4bbf12eefb7a47bcc1a327b43310739a301718b700dc2ce28339b00533f2c9eda1f06ffff21f30d69ce6362
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 3184 created 4440 3184 WerFault.exe 61 -
Program crash 1 IoCs
pid pid_target Process procid_target 4216 4440 WerFault.exe 61 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4216 WerFault.exe 4216 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4440 sample.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3184 wrote to memory of 4440 3184 WerFault.exe 61 PID 3184 wrote to memory of 4440 3184 WerFault.exe 61
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4440 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4440 -s 9442⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4216
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 4440 -ip 44401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3184