Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 01:42
Static task
static1
Behavioral task
behavioral1
Sample
8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe
Resource
win10v2004-20220812-en
General
-
Target
8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe
-
Size
128KB
-
MD5
1708c230ab221fef8f842b53e5a9fd20
-
SHA1
b49e644583aa9af32ed422bc654757fcb9e85d8a
-
SHA256
8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2
-
SHA512
0ba5744723ef4083289fd644411bb6013ec90588a65de5427843599519a56063125561aa6143353710d388890c88e941179b5b7995773ec831a6c951dd5f5e71
-
SSDEEP
3072:hY9bqA/ftBUB6fNZLOjleIlWeVC+wdOGoOyWl:MbqqUYNZLOjlxVhwSOyY
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2072 taskhost.exe 220 taskhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe" 8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1376 set thread context of 4884 1376 8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe 80 PID 2072 set thread context of 220 2072 taskhost.exe 84 -
Program crash 4 IoCs
pid pid_target Process procid_target 3152 1376 WerFault.exe 79 4468 2072 WerFault.exe 83 4100 2072 WerFault.exe 83 1872 1376 WerFault.exe 79 -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1376 wrote to memory of 4884 1376 8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe 80 PID 1376 wrote to memory of 4884 1376 8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe 80 PID 1376 wrote to memory of 4884 1376 8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe 80 PID 1376 wrote to memory of 4884 1376 8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe 80 PID 1376 wrote to memory of 4884 1376 8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe 80 PID 4884 wrote to memory of 2072 4884 8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe 83 PID 4884 wrote to memory of 2072 4884 8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe 83 PID 4884 wrote to memory of 2072 4884 8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe 83 PID 2072 wrote to memory of 220 2072 taskhost.exe 84 PID 2072 wrote to memory of 220 2072 taskhost.exe 84 PID 2072 wrote to memory of 220 2072 taskhost.exe 84 PID 2072 wrote to memory of 220 2072 taskhost.exe 84 PID 2072 wrote to memory of 220 2072 taskhost.exe 84 PID 1376 wrote to memory of 3152 1376 8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe 86 PID 1376 wrote to memory of 3152 1376 8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe 86 PID 1376 wrote to memory of 3152 1376 8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe 86 PID 2072 wrote to memory of 4468 2072 taskhost.exe 87 PID 2072 wrote to memory of 4468 2072 taskhost.exe 87 PID 2072 wrote to memory of 4468 2072 taskhost.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe"C:\Users\Admin\AppData\Local\Temp\8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exeC:\Users\Admin\AppData\Local\Temp\8ba6b9b6bc6277f16949fa459f0bf14c47cd06a010e7d6e14475b2bed72934f2.exe2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Roaming\taskhost.exeC:\Users\Admin\AppData\Roaming\taskhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Roaming\taskhost.exeC:\Users\Admin\AppData\Roaming\taskhost.exe4⤵
- Executes dropped EXE
PID:220
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 2564⤵
- Program crash
PID:4468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 2564⤵
- Program crash
PID:4100
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 2562⤵
- Program crash
PID:3152
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 2562⤵
- Program crash
PID:1872
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1376 -ip 13761⤵PID:4880
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2072 -ip 20721⤵PID:228
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD54a32f8856300a0a28dec057565bb60c0
SHA1834da3b8e7a8000100baaa6ae44434d573e275ad
SHA25698a009a37f31068c00179667bbc0f6f4dd0350252de87866ac6cb1c742089682
SHA5122c59846364db8f00451e4a9b25ab06ab5e762230ad1204ae181db6203c360e3eb43be96b495412baf35a5dec6e3321fd208a2e3adf32867e34b478560eace220
-
Filesize
128KB
MD54a32f8856300a0a28dec057565bb60c0
SHA1834da3b8e7a8000100baaa6ae44434d573e275ad
SHA25698a009a37f31068c00179667bbc0f6f4dd0350252de87866ac6cb1c742089682
SHA5122c59846364db8f00451e4a9b25ab06ab5e762230ad1204ae181db6203c360e3eb43be96b495412baf35a5dec6e3321fd208a2e3adf32867e34b478560eace220
-
Filesize
128KB
MD54a32f8856300a0a28dec057565bb60c0
SHA1834da3b8e7a8000100baaa6ae44434d573e275ad
SHA25698a009a37f31068c00179667bbc0f6f4dd0350252de87866ac6cb1c742089682
SHA5122c59846364db8f00451e4a9b25ab06ab5e762230ad1204ae181db6203c360e3eb43be96b495412baf35a5dec6e3321fd208a2e3adf32867e34b478560eace220