Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2022, 19:07
Static task
static1
Behavioral task
behavioral1
Sample
e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe
Resource
win10v2004-20220812-en
General
-
Target
e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe
-
Size
133KB
-
MD5
aafef404650287c7c279ff33826186ee
-
SHA1
925994f9355d7ace89e3482816aade99525b51f3
-
SHA256
e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e
-
SHA512
c2466ec91bab2cf714d006d9235c5351ac581b612e114012656ceff198bde6d0a7719e5e9a54a204f1ddaedf311db3608d799ef53bef630bc8b869a4320b1416
-
SSDEEP
768:X+RFmnbfWDut1vC+bHyBtMLNe28DUMaV9NvSEqf/Z+:ORFyWuq+bHyBtMLX8DUjVzFqM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4636 ntldr.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\RCX7C1A.tmp e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe File opened for modification C:\Windows\SysWOW64\ntldr.exe ntldr.exe File created C:\Windows\SysWOW64\ntldr.exe ntldr.exe File opened for modification C:\Windows\SysWOW64\ntldr.exe e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe File created C:\Windows\SysWOW64\ntldr.exe e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2620 4368 WerFault.exe 79 2268 4636 WerFault.exe 80 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4368 wrote to memory of 4636 4368 e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe 80 PID 4368 wrote to memory of 4636 4368 e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe 80 PID 4368 wrote to memory of 4636 4368 e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe"C:\Users\Admin\AppData\Local\Temp\e435664f2cefca1153f662887fcb6656772f1f7f56bfb40680686dbf5a6c0d3e.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\ntldr.exe"C:\Windows\system32\ntldr.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4636 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 3763⤵
- Program crash
PID:2268
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 4082⤵
- Program crash
PID:2620
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4368 -ip 43681⤵PID:5080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4636 -ip 46361⤵PID:5088
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD580f9290f521afce325d362ee877acf62
SHA104b7ba722b02dbd7d0df092cdfca61474537af2f
SHA2568d2a997f844c4ced9fe35154ea7467e8183f3d2aba6e1532bb60b87820cbedf4
SHA51227c53cd7b961c836e5d71041803a103fb371e4e26b7ac62d97ecbb0b5a702a689c9159bcf7a050d0256354b582b9a8c4c1aaebc58906e2bcd7e95065aef484be
-
Filesize
28KB
MD580f9290f521afce325d362ee877acf62
SHA104b7ba722b02dbd7d0df092cdfca61474537af2f
SHA2568d2a997f844c4ced9fe35154ea7467e8183f3d2aba6e1532bb60b87820cbedf4
SHA51227c53cd7b961c836e5d71041803a103fb371e4e26b7ac62d97ecbb0b5a702a689c9159bcf7a050d0256354b582b9a8c4c1aaebc58906e2bcd7e95065aef484be