Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2022, 17:53
Static task
static1
Behavioral task
behavioral1
Sample
FH.lnk
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral2
Sample
FH.lnk
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
chastened/imploded.cmd
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral4
Sample
chastened/imploded.cmd
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
chastened/misguide.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
chastened/misguide.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
chastened/unlaundered.bat
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral8
Sample
chastened/unlaundered.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
chastened/misguide.dll
-
Size
347KB
-
MD5
34bbb09aaaf3ab8ecfce01ebc66778c6
-
SHA1
019d75e7bd16d009c9831edfdf15aa8ac9606426
-
SHA256
0a987565d6217b3602c32a4edb56889b4837232a90aa3568063e911ebcb86089
-
SHA512
f724c557e397b66c63b22cc0fbba57a0773c05a0c4d3492299f455bd5f4843e2b6df5d5cbdcd17e1e672d674eda17797a3f14efecb34caf2bf3ba97e5b2617a4
-
SSDEEP
6144:90kc/Pk5/zMNl5VcDQg2Vn9FJzV0hNy/KKfZytKjiQwWsjQo/eWP/qhX7fdIU:903/c/zMdANsn9HzHrx3zsNmA/qN2U
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3300 regsvr32.exe 3300 regsvr32.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe 1868 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3300 regsvr32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3140 wrote to memory of 3300 3140 regsvr32.exe 79 PID 3140 wrote to memory of 3300 3140 regsvr32.exe 79 PID 3140 wrote to memory of 3300 3140 regsvr32.exe 79 PID 3300 wrote to memory of 1868 3300 regsvr32.exe 80 PID 3300 wrote to memory of 1868 3300 regsvr32.exe 80 PID 3300 wrote to memory of 1868 3300 regsvr32.exe 80 PID 3300 wrote to memory of 1868 3300 regsvr32.exe 80 PID 3300 wrote to memory of 1868 3300 regsvr32.exe 80
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\chastened\misguide.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\chastened\misguide.dll2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1868
-
-