Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
197s -
max time network
201s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 21:50
Static task
static1
Behavioral task
behavioral1
Sample
b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe
Resource
win10v2004-20221111-en
General
-
Target
b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe
-
Size
429KB
-
MD5
e7e88c89b74034e8164640db5bd406c7
-
SHA1
b1464e8ffe65265f60bce1119c58834448bc91cd
-
SHA256
b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab
-
SHA512
7157c65fee6867c57863e8f6447374d284d2d75d8211b29fe23282075f09dc6c59ce763d46b515fb43e08e845df36346799fae9dac4570f565bef92d6bb588aa
-
SSDEEP
1536:cHb2FTOaRIrHRgl7D7AFysbP0DOIqxLcakr/6W4j752aR1p/WVHJq:c72Bmxu/A4sD0DOb4aM4Bhh2HY
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 1376 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe 1376 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft = "C:\\Users\\Admin\\AppData\\Local\\Temp\\herss.exe" b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 320 1376 WerFault.exe 81 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1376 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe 1376 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe 1376 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe 1376 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe 1376 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe 1376 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe 1376 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe 1376 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe -
Suspicious use of WriteProcessMemory 1 IoCs
description pid Process procid_target PID 1376 wrote to memory of 2720 1376 b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe 40
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe"C:\Users\Admin\AppData\Local\Temp\b469bf6f3cffc6ebc1448744adf298c97b2d970b23c220943a3e9327202166ab.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 3883⤵
- Program crash
PID:320
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1376 -ip 13761⤵PID:4892
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD5955250b10d8f30ba40abd128d9d7d9f7
SHA1888c2944f81b7f1a6d764237b842fece9e41aa49
SHA256d6bc2d7ba343bfe52415727fcb7aa568e184fa0fd0fd89a367e18ff218bb63e6
SHA512dfcaa5a577de599e61c148b14705c18d60e820c717a716aafcc6c59d290946f170668c59ebd30dd90fdc774bbb3173ceb14b49eb26506919740d0069e95fdb42
-
Filesize
79KB
MD5955250b10d8f30ba40abd128d9d7d9f7
SHA1888c2944f81b7f1a6d764237b842fece9e41aa49
SHA256d6bc2d7ba343bfe52415727fcb7aa568e184fa0fd0fd89a367e18ff218bb63e6
SHA512dfcaa5a577de599e61c148b14705c18d60e820c717a716aafcc6c59d290946f170668c59ebd30dd90fdc774bbb3173ceb14b49eb26506919740d0069e95fdb42