Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
165s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2022, 19:54
Static task
static1
Behavioral task
behavioral1
Sample
1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe
Resource
win10v2004-20220812-en
General
-
Target
1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe
-
Size
393KB
-
MD5
00890653ba8c1302d15b0fb5d17c2337
-
SHA1
61edfd5d9f2cfdc1158e97259cc7ab2d230edc22
-
SHA256
1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585
-
SHA512
37d928b09c7b5b4719d9540e2449ca68eb1351be87d964df7797a9f1d0b457fa596285017e4a3b61248a7553f2b1b747d205ba77523635639eb7b647b94bfb76
-
SSDEEP
6144:IZWMfwaaMrMM2gGEghjdQLYpfuHB/e5QaLrN36pgVZv2JL3r77a:IJ0MAMIjdQUpfo/e5Q23sLX
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1904 jlguaji.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1040 1904 WerFault.exe 85 2808 1904 WerFault.exe 85 -
Kills process with taskkill 1 IoCs
pid Process 440 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 440 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4800 wrote to memory of 440 4800 1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe 83 PID 4800 wrote to memory of 440 4800 1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe 83 PID 4800 wrote to memory of 440 4800 1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe 83 PID 4800 wrote to memory of 1904 4800 1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe 85 PID 4800 wrote to memory of 1904 4800 1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe 85 PID 4800 wrote to memory of 1904 4800 1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe"C:\Users\Admin\AppData\Local\Temp\1b433cfefdac6a1a2c4472b49a4fa7e9289565afbbd0d70111f28e05fbc33585.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ksafetray.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:440
-
-
C:\Users\Admin\AppData\Roaming\Spiritsoft\urlspirit\jlguaji.exeC:\Users\Admin\AppData\Roaming\Spiritsoft\urlspirit\jlguaji.exe2⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 5563⤵
- Program crash
PID:1040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 5763⤵
- Program crash
PID:2808
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1904 -ip 19041⤵PID:1744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1904 -ip 19041⤵PID:4160
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
338KB
MD5a810072c0884629f04fd17481b385751
SHA13354a25a544307de15d7a51375127021ddf66c96
SHA2567684717985a61b600f128fed6cae8b2f72a9d1accb3f598ba121bdde7396091f
SHA5125c0b8ff931fb54d6577ffb6707c567173ec8cb2c2c270ce01c400f2227694c87c9b88a8fde1fb2b107d8489e98afb7f38e4e7f423429f31a5a9f9394d5007fd2
-
Filesize
338KB
MD5a810072c0884629f04fd17481b385751
SHA13354a25a544307de15d7a51375127021ddf66c96
SHA2567684717985a61b600f128fed6cae8b2f72a9d1accb3f598ba121bdde7396091f
SHA5125c0b8ff931fb54d6577ffb6707c567173ec8cb2c2c270ce01c400f2227694c87c9b88a8fde1fb2b107d8489e98afb7f38e4e7f423429f31a5a9f9394d5007fd2