Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    328s
  • max time network
    349s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 09:43 UTC

General

  • Target

    9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe

  • Size

    268KB

  • MD5

    64fe22577fa976e2d42d122a04a74553

  • SHA1

    b82d473befb2d938ed1e93b179030d2e23a00c16

  • SHA256

    9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c

  • SHA512

    dedee7831a277f7a46f906d7cb5d4e6af6add5b5b6abaa697440beb57123aa58663f4cf56cd6c6cc953809db3299f04473f167aa8655f9966222416633c3598a

  • SSDEEP

    3072:vwVIvoOqzSaoV9K9QO17bPFcpDuBplAa+0GgPvD1FzfwVYZODFZaFFw811Cx2w:PoCQ4DAp2a+ZgPJFzfq2OD7/Aoxh

Malware Config

Signatures

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
    "C:\Users\Admin\AppData\Local\Temp\9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4636
    • C:\Users\Admin\AppData\Local\Temp\9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
      C:\Users\Admin\AppData\Local\Temp\9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3120
      • C:\Users\Admin\AppData\Local\Temp\9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
        C:\Users\Admin\AppData\Local\Temp\9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
        3⤵
          PID:2076
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 12
            4⤵
            • Program crash
            PID:4276
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2076 -ip 2076
      1⤵
        PID:380

      Network

      • flag-unknown
        DNS
        226.101.242.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        226.101.242.52.in-addr.arpa
        IN PTR
        Response
      • flag-unknown
        DNS
        0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
        IN PTR
        Response
      • 20.50.80.209:443
        322 B
        7
      • 93.184.220.29:80
        322 B
        7
      • 104.80.225.205:443
        322 B
        7
      • 72.21.81.240:80
        322 B
        7
      • 72.21.81.240:80
        322 B
        7
      • 72.21.81.240:80
        322 B
        7
      • 8.247.210.254:80
        322 B
        7
      • 8.8.8.8:53
        226.101.242.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        226.101.242.52.in-addr.arpa

      • 8.8.8.8:53
        0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
        dns
        118 B
        204 B
        1
        1

        DNS Request

        0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2076-144-0x0000000010000000-0x000000001004D000-memory.dmp

        Filesize

        308KB

      • memory/3120-135-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

      • memory/3120-137-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

      • memory/3120-138-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

      • memory/3120-141-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

      • memory/3120-142-0x0000000000020000-0x0000000000023000-memory.dmp

        Filesize

        12KB

      • memory/3120-145-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.