Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2022, 23:04
Static task
static1
Behavioral task
behavioral1
Sample
403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50.exe
Resource
win10v2004-20220812-en
General
-
Target
403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50.exe
-
Size
171KB
-
MD5
82e49b3a536412fc0ce63bcbab060cef
-
SHA1
553a87bcb033f71c4220e1317ea3d4cc05c27558
-
SHA256
403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50
-
SHA512
ca78e9868a6234b3ba1d178e45d879b18fb26052ad228a18e6a97002cfcd3b048f30f7993331ecd55705eedbd2c96ad866970759686b8d78fbe07b0791869ab5
-
SSDEEP
1536:TA31uITEB3OxdafOgzS8Wk5VSqm9fe8mn9NdZ66GV8WDF4dhyW0MUwtHR/9HRgwr:TC12+r9mSLkyd92cD6jCMZ9tDPt1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4836 fabyope.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\fabyope.exe 403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4708 4836 WerFault.exe 81 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4836 fabyope.exe 4836 fabyope.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4836 fabyope.exe -
Suspicious use of WriteProcessMemory 1 IoCs
description pid Process procid_target PID 4836 wrote to memory of 2576 4836 fabyope.exe 44
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50.exe"C:\Users\Admin\AppData\Local\Temp\403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50.exe"2⤵
- Drops file in Program Files directory
PID:4984
-
-
C:\PROGRA~3\Mozilla\fabyope.exeC:\PROGRA~3\Mozilla\fabyope.exe -pbtetmh1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 5562⤵
- Program crash
PID:4708
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4836 -ip 48361⤵PID:1080
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
171KB
MD5c5f2bdd3caa57a603368a962b1cafcd9
SHA1a90d08368a23f083f358bd4715f10496df0204ae
SHA256def8819ac0b0c972eb45f162b2a4d66a9e6ff2afad27e5957331b43f64ced3f3
SHA512b982fb18a008de56d9661bd30544e3827e6af0162c339f24d9c705a1e3ed6e52b53f7c4a9587af28f1d0e7f29402c249efd1bb296ab5aaa952d487c7506a625c
-
Filesize
171KB
MD5c5f2bdd3caa57a603368a962b1cafcd9
SHA1a90d08368a23f083f358bd4715f10496df0204ae
SHA256def8819ac0b0c972eb45f162b2a4d66a9e6ff2afad27e5957331b43f64ced3f3
SHA512b982fb18a008de56d9661bd30544e3827e6af0162c339f24d9c705a1e3ed6e52b53f7c4a9587af28f1d0e7f29402c249efd1bb296ab5aaa952d487c7506a625c