Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
317s -
max time network
393s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02/12/2022, 21:29
Static task
static1
Behavioral task
behavioral1
Sample
7439111fa238df419733904ed63fb0eca88347694a1fba69506a3f574fdaf466.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
7439111fa238df419733904ed63fb0eca88347694a1fba69506a3f574fdaf466.exe
Resource
win10v2004-20221111-en
General
-
Target
7439111fa238df419733904ed63fb0eca88347694a1fba69506a3f574fdaf466.exe
-
Size
104KB
-
MD5
f3d818b61c4bfef75ca22e0efe5c6043
-
SHA1
f6a63d40b6f34a75fe563fed8261b9ce6b2ce515
-
SHA256
7439111fa238df419733904ed63fb0eca88347694a1fba69506a3f574fdaf466
-
SHA512
b3c261816c8c93da4e310bcd432e0b86678e6a293318e77ef689662eb9f4a26e68337672ce185dcd6783091e48354124121508710e26cc9790e9808eda8b4a5e
-
SSDEEP
1536:oOT48hGDRLT8ZJYfZ2PwXGvVh1FbZUODWe3mTU7j:PT48CtT+J0APwXGvVh1vUOCkmTU7j
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1292 tmp.tmp.tmp1 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\tmp.tmp.tmp1 7439111fa238df419733904ed63fb0eca88347694a1fba69506a3f574fdaf466.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1524 1292 WerFault.exe 82 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4360 7439111fa238df419733904ed63fb0eca88347694a1fba69506a3f574fdaf466.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4360 wrote to memory of 1292 4360 7439111fa238df419733904ed63fb0eca88347694a1fba69506a3f574fdaf466.exe 82 PID 4360 wrote to memory of 1292 4360 7439111fa238df419733904ed63fb0eca88347694a1fba69506a3f574fdaf466.exe 82 PID 4360 wrote to memory of 1292 4360 7439111fa238df419733904ed63fb0eca88347694a1fba69506a3f574fdaf466.exe 82 PID 1292 wrote to memory of 1524 1292 tmp.tmp.tmp1 85 PID 1292 wrote to memory of 1524 1292 tmp.tmp.tmp1 85 PID 1292 wrote to memory of 1524 1292 tmp.tmp.tmp1 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\7439111fa238df419733904ed63fb0eca88347694a1fba69506a3f574fdaf466.exe"C:\Users\Admin\AppData\Local\Temp\7439111fa238df419733904ed63fb0eca88347694a1fba69506a3f574fdaf466.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\tmp.tmp.tmp1C:\Windows\tmp.tmp.tmp12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 5003⤵
- Program crash
PID:1524
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1292 -ip 12921⤵PID:2396
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD511c554312bfd64073f2b19e659a59e96
SHA1061435a014199f70119d58a5d6ac822741979010
SHA25646b0e36860d0af1e1aa3da7204465a04586cce8fc01cfe0627cd9db188195f27
SHA512c3bcd54825aa92cceb0dd85c9bb18f90a605070ca11fc344bb04df2ff0c2580eb79c995a4240727be5903baaed78e21cad74db2ec56959a81f1ac333508e2565
-
Filesize
76KB
MD511c554312bfd64073f2b19e659a59e96
SHA1061435a014199f70119d58a5d6ac822741979010
SHA25646b0e36860d0af1e1aa3da7204465a04586cce8fc01cfe0627cd9db188195f27
SHA512c3bcd54825aa92cceb0dd85c9bb18f90a605070ca11fc344bb04df2ff0c2580eb79c995a4240727be5903baaed78e21cad74db2ec56959a81f1ac333508e2565