Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
194s -
max time network
224s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 05:41
Static task
static1
Behavioral task
behavioral1
Sample
3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe
Resource
win10v2004-20221111-en
General
-
Target
3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe
-
Size
132KB
-
MD5
29e56290b671dc623d223ff0473dfa90
-
SHA1
e0a5553a01d4ca86f6bc307065b791429fdd7d57
-
SHA256
3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334
-
SHA512
79c0632b5b2846f220ee137278a8406bf7cd7880cd548cf000f9089a2255ef0937a6924efd4db6522dfd19df2fcd74bba389b108e9a38389135bc2db0afed63e
-
SSDEEP
1536:AcNs9OIbKQ7usjxpM4Is5ctj4AN/r4TJHpL016gIZkuGtiJPpK+WN/F+/YAPd2xU:JA3bL1I6ctj4Ys216ysLKnNdc22P
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 560 taskhost.exe 660 taskhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe" 3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1340 set thread context of 2232 1340 3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe 83 PID 560 set thread context of 660 560 taskhost.exe 87 -
Program crash 3 IoCs
pid pid_target Process procid_target 3660 1340 WerFault.exe 82 1932 1340 WerFault.exe 82 3864 560 WerFault.exe 86 -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1340 wrote to memory of 2232 1340 3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe 83 PID 1340 wrote to memory of 2232 1340 3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe 83 PID 1340 wrote to memory of 2232 1340 3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe 83 PID 1340 wrote to memory of 2232 1340 3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe 83 PID 1340 wrote to memory of 2232 1340 3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe 83 PID 2232 wrote to memory of 560 2232 3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe 86 PID 2232 wrote to memory of 560 2232 3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe 86 PID 2232 wrote to memory of 560 2232 3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe 86 PID 560 wrote to memory of 660 560 taskhost.exe 87 PID 560 wrote to memory of 660 560 taskhost.exe 87 PID 560 wrote to memory of 660 560 taskhost.exe 87 PID 560 wrote to memory of 660 560 taskhost.exe 87 PID 560 wrote to memory of 660 560 taskhost.exe 87 PID 1340 wrote to memory of 3660 1340 3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe 89 PID 1340 wrote to memory of 3660 1340 3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe 89 PID 1340 wrote to memory of 3660 1340 3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe"C:\Users\Admin\AppData\Local\Temp\3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exeC:\Users\Admin\AppData\Local\Temp\3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Roaming\taskhost.exeC:\Users\Admin\AppData\Roaming\taskhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Users\Admin\AppData\Roaming\taskhost.exeC:\Users\Admin\AppData\Roaming\taskhost.exe4⤵
- Executes dropped EXE
PID:660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 2924⤵
- Program crash
PID:3864
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 2762⤵
- Program crash
PID:3660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 2762⤵
- Program crash
PID:1932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1340 -ip 13401⤵PID:4464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 560 -ip 5601⤵PID:2736
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD56cbb07d9917c361003f2bb23608f8dde
SHA1cbae96e139824c80ebc7baf2a9b40795547c93f8
SHA2563de084b1ede7d9d491797db41086d29072d15ca3700e7fa156d40247eb59d226
SHA51299f2c88934204cd6d791f198709f4e3ab11a421e0a4b7e6364a03d2fcab021a5e63424000ba72525e9878ab5df73be3734bf0814002f2fdfd174d16d44ebbbec
-
Filesize
132KB
MD56cbb07d9917c361003f2bb23608f8dde
SHA1cbae96e139824c80ebc7baf2a9b40795547c93f8
SHA2563de084b1ede7d9d491797db41086d29072d15ca3700e7fa156d40247eb59d226
SHA51299f2c88934204cd6d791f198709f4e3ab11a421e0a4b7e6364a03d2fcab021a5e63424000ba72525e9878ab5df73be3734bf0814002f2fdfd174d16d44ebbbec
-
Filesize
132KB
MD56cbb07d9917c361003f2bb23608f8dde
SHA1cbae96e139824c80ebc7baf2a9b40795547c93f8
SHA2563de084b1ede7d9d491797db41086d29072d15ca3700e7fa156d40247eb59d226
SHA51299f2c88934204cd6d791f198709f4e3ab11a421e0a4b7e6364a03d2fcab021a5e63424000ba72525e9878ab5df73be3734bf0814002f2fdfd174d16d44ebbbec