Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
285s -
max time network
360s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 13:01
Static task
static1
Behavioral task
behavioral1
Sample
f64d0482424e9dda37b1c97ce928a6172d6fc1578e93fb2d087522ffa04f913d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f64d0482424e9dda37b1c97ce928a6172d6fc1578e93fb2d087522ffa04f913d.exe
Resource
win10v2004-20221111-en
General
-
Target
f64d0482424e9dda37b1c97ce928a6172d6fc1578e93fb2d087522ffa04f913d.exe
-
Size
196KB
-
MD5
8a949c1092c8918674dc21cb1b513627
-
SHA1
a2f59314403efab64aba3e194621987f32e00f1f
-
SHA256
f64d0482424e9dda37b1c97ce928a6172d6fc1578e93fb2d087522ffa04f913d
-
SHA512
954c0eeb69fd57903f122d357c3edeac9b96d5038a04e629283e57d141787c7f38bc1d3348e5c8568f45a3cbfc0769a5a575ba2ff05f78b0f17ce847695a0385
-
SSDEEP
6144:WjbeijyYeOWy5hEaIoW4VbS4osHwwyI4Tb:WuaiOWysahW2exsDnKb
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4496 is155083.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f64d0482424e9dda37b1c97ce928a6172d6fc1578e93fb2d087522ffa04f913d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f64d0482424e9dda37b1c97ce928a6172d6fc1578e93fb2d087522ffa04f913d.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4832 4496 WerFault.exe 82 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4376 wrote to memory of 4496 4376 f64d0482424e9dda37b1c97ce928a6172d6fc1578e93fb2d087522ffa04f913d.exe 82 PID 4376 wrote to memory of 4496 4376 f64d0482424e9dda37b1c97ce928a6172d6fc1578e93fb2d087522ffa04f913d.exe 82 PID 4376 wrote to memory of 4496 4376 f64d0482424e9dda37b1c97ce928a6172d6fc1578e93fb2d087522ffa04f913d.exe 82 PID 4496 wrote to memory of 4832 4496 is155083.exe 85 PID 4496 wrote to memory of 4832 4496 is155083.exe 85 PID 4496 wrote to memory of 4832 4496 is155083.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\f64d0482424e9dda37b1c97ce928a6172d6fc1578e93fb2d087522ffa04f913d.exe"C:\Users\Admin\AppData\Local\Temp\f64d0482424e9dda37b1c97ce928a6172d6fc1578e93fb2d087522ffa04f913d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is155083.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is155083.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 5443⤵
- Program crash
PID:4832
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4496 -ip 44961⤵PID:3088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD572a4c190c6b2de93db0d597fc6286747
SHA133c88dd25b1d941bed74d564fa33d2390d45a275
SHA2564d8fe569b48e3c076bf13e719a2cb34a6768a40f0628fd6404fb5ef8d672faba
SHA51262daa09f9bafa769267629cf5399ad4a6f3a6a97a883f9f8145258157d4cbaba4c03aa4ea10583e22fadd11b3a2b6f3b41bc9628db44c4cc9582f5e463b9bc24
-
Filesize
93KB
MD572a4c190c6b2de93db0d597fc6286747
SHA133c88dd25b1d941bed74d564fa33d2390d45a275
SHA2564d8fe569b48e3c076bf13e719a2cb34a6768a40f0628fd6404fb5ef8d672faba
SHA51262daa09f9bafa769267629cf5399ad4a6f3a6a97a883f9f8145258157d4cbaba4c03aa4ea10583e22fadd11b3a2b6f3b41bc9628db44c4cc9582f5e463b9bc24