Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
57s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 21:50
Static task
static1
Behavioral task
behavioral1
Sample
b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe
Resource
win10v2004-20221111-en
General
-
Target
b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe
-
Size
429KB
-
MD5
e7e88c89b74034e8164640db5bd406c7
-
SHA1
b1464e8ffe65265f60bce1119c58834448bc91cd
-
SHA256
b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab
-
SHA512
7157c65fee6867c57863e8f6447374d284d2d75d8211b29fe23282075f09dc6c59ce763d46b515fb43e08e845df36346799fae9dac4570f565bef92d6bb588aa
-
SSDEEP
1536:cHb2FTOaRIrHRgl7D7AFysbP0DOIqxLcakr/6W4j752aR1p/WVHJq:c72Bmxu/A4sD0DOb4aM4Bhh2HY
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1628 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\cdoosoft = "C:\\Users\\Admin\\AppData\\Local\\Temp\\herss.exe" b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 880 1628 WerFault.exe 17 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1628 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe 1628 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe 1628 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe 1628 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1628 wrote to memory of 1208 1628 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe 14 PID 1628 wrote to memory of 880 1628 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe 28 PID 1628 wrote to memory of 880 1628 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe 28 PID 1628 wrote to memory of 880 1628 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe 28 PID 1628 wrote to memory of 880 1628 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe 28
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe"C:\Users\Admin\AppData\Local\Temp\b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 1883⤵
- Program crash
PID:880
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD5955250b10d8f30ba40abd128d9d7d9f7
SHA1888c2944f81b7f1a6d764237b842fece9e41aa49
SHA256d6bc2d7ba343bfe52415727fcb7aa568e184fa0fd0fd89a367e18ff218bb63e6
SHA512dfcaa5a577de599e61c148b14705c18d60e820c717a716aafcc6c59d290946f170668c59ebd30dd90fdc774bbb3173ceb14b49eb26506919740d0069e95fdb42