Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
15/09/2022, 17:59
220915-wkw3padgb3 315/09/2022, 17:56
220915-wh3gpadga8 322/07/2022, 19:25
220722-x4ylashdfl 1022/07/2022, 17:20
220722-vwqvdaggfl 10Analysis
-
max time kernel
133s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15/09/2022, 17:59
Static task
static1
Behavioral task
behavioral1
Sample
ORDER3763873.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ORDER3763873.exe
Resource
win10v2004-20220812-en
General
-
Target
ORDER3763873.exe
-
Size
13KB
-
MD5
fcf1a0e7b406505e0aaa094393d45d72
-
SHA1
cde2a1b3ef89f2b4c7a2048fa2d959e02c29008e
-
SHA256
352dd25fbf999c5e12526187390be9af7019db7c165f2e9e76fe7d1cd4bece3b
-
SHA512
5db78c6c157174cac8f010e8cf00d412a10703dd543ad224c7d81cb9b65b0a03891be95615dc57165761d433a673f316495e825e7a615d57b08b846fb3e52304
-
SSDEEP
192:7al+MLo8v/PwzaektqslX6IOGiMwEauPFUHDBxvu+6wFguGZAqd7:7+dvnvKhGavuPyjBcTZAqd
Malware Config
Signatures
-
Program crash 3 IoCs
pid pid_target Process procid_target 3448 5020 WerFault.exe 79 3936 4268 WerFault.exe 93 4992 1712 WerFault.exe 95 -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 5020 ORDER3763873.exe Token: SeDebugPrivilege 4268 ORDER3763873.exe Token: SeDebugPrivilege 1712 ORDER3763873.exe Token: SeRestorePrivilege 4288 7zG.exe Token: 35 4288 7zG.exe Token: SeSecurityPrivilege 4288 7zG.exe Token: SeSecurityPrivilege 4288 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4288 7zG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER3763873.exe"C:\Users\Admin\AppData\Local\Temp\ORDER3763873.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 14002⤵
- Program crash
PID:3448
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5020 -ip 50201⤵PID:1016
-
C:\Users\Admin\AppData\Local\Temp\ORDER3763873.exe"C:\Users\Admin\AppData\Local\Temp\ORDER3763873.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 13922⤵
- Program crash
PID:3936
-
-
C:\Users\Admin\AppData\Local\Temp\ORDER3763873.exe"C:\Users\Admin\AppData\Local\Temp\ORDER3763873.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 13642⤵
- Program crash
PID:4992
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4268 -ip 42681⤵PID:1468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1712 -ip 17121⤵PID:1416
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\ORDER3763873\" -spe -an -ai#7zMap25258:104:7zEvent67991⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4288
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ORDER3763873\.text1⤵PID:4928
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD51c3525c5fabb3b92f8100d934b7cd06c
SHA144c489d5cee4d6465efc1d5edebe4879e0ed05da
SHA256cf89233e137b70f0ea603c7753c7d25e09dabec2b0f37271c0813d11ccc0666f
SHA512de097201ee47b830e2f286ff987218546ed9b0a3488dcb66883df4d777a96511c9ef2b5e9c8fe8bf41c44665e62b610cf9e172f6ad871ab8762eb3044cc43dd6