Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
309s -
max time network
333s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 21:14
Static task
static1
Behavioral task
behavioral1
Sample
7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe
Resource
win10v2004-20221111-en
General
-
Target
7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe
-
Size
460KB
-
MD5
a2546e26c5bf4dc5c5f3f3e173412618
-
SHA1
bbe054795a329a9e7bb874cd3714360d75ba7dfe
-
SHA256
7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7
-
SHA512
95bf0a97ddf141642d46a64ce79a5f599de0147fd8b9a0fc90acdf00dbf983608cd762055a425e85750f061235f6f0919393a05d90e107fe380fbc1fa3640fb0
-
SSDEEP
12288:gggZ8iH5Pbd3bik6cT0MPJdpY6qVD6G8Jsyq0Sy22qw4Ea3Ygsfn7nRa:++4tbipCFS6qVD6GEsyqJ14a3+n9a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1156 waazy.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1156 waazy.exe 1156 waazy.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2120 wrote to memory of 1156 2120 7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe 82 PID 2120 wrote to memory of 1156 2120 7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe 82 PID 2120 wrote to memory of 1156 2120 7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe 82 PID 1156 wrote to memory of 2748 1156 waazy.exe 18 PID 1156 wrote to memory of 2748 1156 waazy.exe 18 PID 1156 wrote to memory of 2748 1156 waazy.exe 18 PID 1156 wrote to memory of 2748 1156 waazy.exe 18 PID 1156 wrote to memory of 2748 1156 waazy.exe 18 PID 1156 wrote to memory of 2772 1156 waazy.exe 46 PID 1156 wrote to memory of 2772 1156 waazy.exe 46 PID 1156 wrote to memory of 2772 1156 waazy.exe 46 PID 1156 wrote to memory of 2772 1156 waazy.exe 46 PID 1156 wrote to memory of 2772 1156 waazy.exe 46 PID 1156 wrote to memory of 2832 1156 waazy.exe 45 PID 1156 wrote to memory of 2832 1156 waazy.exe 45 PID 1156 wrote to memory of 2832 1156 waazy.exe 45 PID 1156 wrote to memory of 2832 1156 waazy.exe 45 PID 1156 wrote to memory of 2832 1156 waazy.exe 45 PID 1156 wrote to memory of 2420 1156 waazy.exe 43 PID 1156 wrote to memory of 2420 1156 waazy.exe 43 PID 1156 wrote to memory of 2420 1156 waazy.exe 43 PID 1156 wrote to memory of 2420 1156 waazy.exe 43 PID 1156 wrote to memory of 2420 1156 waazy.exe 43 PID 1156 wrote to memory of 2816 1156 waazy.exe 42 PID 1156 wrote to memory of 2816 1156 waazy.exe 42 PID 1156 wrote to memory of 2816 1156 waazy.exe 42 PID 1156 wrote to memory of 2816 1156 waazy.exe 42 PID 1156 wrote to memory of 2816 1156 waazy.exe 42 PID 1156 wrote to memory of 3240 1156 waazy.exe 19 PID 1156 wrote to memory of 3240 1156 waazy.exe 19 PID 1156 wrote to memory of 3240 1156 waazy.exe 19 PID 1156 wrote to memory of 3240 1156 waazy.exe 19 PID 1156 wrote to memory of 3240 1156 waazy.exe 19 PID 1156 wrote to memory of 3340 1156 waazy.exe 41 PID 1156 wrote to memory of 3340 1156 waazy.exe 41 PID 1156 wrote to memory of 3340 1156 waazy.exe 41 PID 1156 wrote to memory of 3340 1156 waazy.exe 41 PID 1156 wrote to memory of 3340 1156 waazy.exe 41 PID 1156 wrote to memory of 3404 1156 waazy.exe 20 PID 1156 wrote to memory of 3404 1156 waazy.exe 20 PID 1156 wrote to memory of 3404 1156 waazy.exe 20 PID 1156 wrote to memory of 3404 1156 waazy.exe 20 PID 1156 wrote to memory of 3404 1156 waazy.exe 20 PID 1156 wrote to memory of 3496 1156 waazy.exe 40 PID 1156 wrote to memory of 3496 1156 waazy.exe 40 PID 1156 wrote to memory of 3496 1156 waazy.exe 40 PID 1156 wrote to memory of 3496 1156 waazy.exe 40 PID 1156 wrote to memory of 3496 1156 waazy.exe 40 PID 1156 wrote to memory of 3688 1156 waazy.exe 39 PID 1156 wrote to memory of 3688 1156 waazy.exe 39 PID 1156 wrote to memory of 3688 1156 waazy.exe 39 PID 1156 wrote to memory of 3688 1156 waazy.exe 39 PID 1156 wrote to memory of 3688 1156 waazy.exe 39 PID 1156 wrote to memory of 3124 1156 waazy.exe 24 PID 1156 wrote to memory of 3124 1156 waazy.exe 24 PID 1156 wrote to memory of 3124 1156 waazy.exe 24 PID 1156 wrote to memory of 3124 1156 waazy.exe 24 PID 1156 wrote to memory of 3124 1156 waazy.exe 24 PID 1156 wrote to memory of 2120 1156 waazy.exe 79 PID 1156 wrote to memory of 2120 1156 waazy.exe 79 PID 1156 wrote to memory of 2120 1156 waazy.exe 79 PID 1156 wrote to memory of 2120 1156 waazy.exe 79 PID 1156 wrote to memory of 2120 1156 waazy.exe 79
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2748
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3240
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3404
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3124
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3688
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3496
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2816
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe"C:\Users\Admin\AppData\Local\Temp\7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Roaming\Ozbiyq\waazy.exe"C:\Users\Admin\AppData\Roaming\Ozbiyq\waazy.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1156
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2772
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
460KB
MD5072e9fa7ea8436fb4e8dade8e850ce50
SHA14c19135516da64435e03b8f6908e06503b31f9ce
SHA256497f06f6bb83b2a20671a57c36f13ca470a40667f7489980e0be5293e8234609
SHA5126bf1bad0a3685e0b9a4eb804b00ac4c758bc859c52de65751f7e0521a4b780aa0c5e4218e99a6ebedb638c8fe3999f24976fe112bdc7cc84835279e092b9b833
-
Filesize
460KB
MD5072e9fa7ea8436fb4e8dade8e850ce50
SHA14c19135516da64435e03b8f6908e06503b31f9ce
SHA256497f06f6bb83b2a20671a57c36f13ca470a40667f7489980e0be5293e8234609
SHA5126bf1bad0a3685e0b9a4eb804b00ac4c758bc859c52de65751f7e0521a4b780aa0c5e4218e99a6ebedb638c8fe3999f24976fe112bdc7cc84835279e092b9b833