Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
182s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 14:19
Static task
static1
Behavioral task
behavioral1
Sample
51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb.exe
Resource
win10v2004-20221111-en
General
-
Target
51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb.exe
-
Size
96KB
-
MD5
38d3d60dd60f03bf35c59ae266b60000
-
SHA1
9a18b3d2cae630ff28759f68904b3ed21bf7312e
-
SHA256
51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb
-
SHA512
46783358d8ec77ddea3e50cf489b7ec85aceb7f30c2cb1587d1ebf87a65be7737181e9cbeff0e018ec4e5d18e95f7783b7095c84f93b33743d686fdaf71225f1
-
SSDEEP
1536:y8fGHUrKRtrhcamH7XVkEmiSngrR92SjuJ7cPcj3CnisY3A2ro4dxti/:jGH2KRXc3blXmtnitjuJG6SisYQT4b4/
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3400 taskhost.exe 3688 taskhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe" 51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4124 set thread context of 3880 4124 51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb.exe 82 PID 3400 set thread context of 3688 3400 taskhost.exe 86 -
Program crash 2 IoCs
pid pid_target Process procid_target 3164 3400 WerFault.exe 85 1652 4124 WerFault.exe 81 -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4124 wrote to memory of 3880 4124 51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb.exe 82 PID 4124 wrote to memory of 3880 4124 51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb.exe 82 PID 4124 wrote to memory of 3880 4124 51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb.exe 82 PID 4124 wrote to memory of 3880 4124 51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb.exe 82 PID 4124 wrote to memory of 3880 4124 51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb.exe 82 PID 3880 wrote to memory of 3400 3880 51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb.exe 85 PID 3880 wrote to memory of 3400 3880 51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb.exe 85 PID 3880 wrote to memory of 3400 3880 51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb.exe 85 PID 3400 wrote to memory of 3688 3400 taskhost.exe 86 PID 3400 wrote to memory of 3688 3400 taskhost.exe 86 PID 3400 wrote to memory of 3688 3400 taskhost.exe 86 PID 3400 wrote to memory of 3688 3400 taskhost.exe 86 PID 3400 wrote to memory of 3688 3400 taskhost.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb.exe"C:\Users\Admin\AppData\Local\Temp\51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb.exeC:\Users\Admin\AppData\Local\Temp\51e3964a256a56b3bde6d1089d23e64da698dece292d18f007cb9c840b6f57fb.exe2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Users\Admin\AppData\Roaming\taskhost.exeC:\Users\Admin\AppData\Roaming\taskhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Users\Admin\AppData\Roaming\taskhost.exeC:\Users\Admin\AppData\Roaming\taskhost.exe4⤵
- Executes dropped EXE
PID:3688
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 2964⤵
- Program crash
PID:3164
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 3082⤵
- Program crash
PID:1652
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4124 -ip 41241⤵PID:3604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3400 -ip 34001⤵PID:3716
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD55ab354760105e5cb6f192f3096b4e204
SHA13b9e57bfe2d9306f08fce510cd65b464fcf0a98e
SHA25637edd34c48f796540d10f55ad757ad89286d6263a87397c4ddd088eb4fe4eda8
SHA512a1b0529633f2ec6a35ee0e18b5502f5c61f834b8fa9c19fcaee37f4689202556523e984e325128e5927c87170053eb1afb4352902d53cc9297c63da2c57d19b8
-
Filesize
96KB
MD55ab354760105e5cb6f192f3096b4e204
SHA13b9e57bfe2d9306f08fce510cd65b464fcf0a98e
SHA25637edd34c48f796540d10f55ad757ad89286d6263a87397c4ddd088eb4fe4eda8
SHA512a1b0529633f2ec6a35ee0e18b5502f5c61f834b8fa9c19fcaee37f4689202556523e984e325128e5927c87170053eb1afb4352902d53cc9297c63da2c57d19b8
-
Filesize
96KB
MD55ab354760105e5cb6f192f3096b4e204
SHA13b9e57bfe2d9306f08fce510cd65b464fcf0a98e
SHA25637edd34c48f796540d10f55ad757ad89286d6263a87397c4ddd088eb4fe4eda8
SHA512a1b0529633f2ec6a35ee0e18b5502f5c61f834b8fa9c19fcaee37f4689202556523e984e325128e5927c87170053eb1afb4352902d53cc9297c63da2c57d19b8