Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
99s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2023, 03:00
Static task
static1
Behavioral task
behavioral1
Sample
412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe
Resource
win10v2004-20230221-en
General
-
Target
412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe
-
Size
72KB
-
MD5
834a79ee7a59547a89ef4f849829b05b
-
SHA1
28db68cffea38ed08db8fc3ed687a45494c38dcb
-
SHA256
412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772
-
SHA512
3adebe76c029607c1630595714b959d0e335b12c5d6d6e444788803bdd9e879aa3ff5b6b5f9370f06e74c50a5a832efb7f7ce24f6fdb51147269ab4a45261774
-
SSDEEP
1536:3vAkGoo+bH/J027ZKxyafwhHCC/mq1ktG:3vuWbaRgaYtX1ktG
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3172 2024 rundll32.exe 40 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation 412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe -
Loads dropped DLL 1 IoCs
pid Process 1816 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1000 1816 WerFault.exe 90 -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2640 wrote to memory of 3184 2640 412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe 87 PID 2640 wrote to memory of 3184 2640 412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe 87 PID 2640 wrote to memory of 3184 2640 412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe 87 PID 3172 wrote to memory of 1816 3172 rundll32.exe 90 PID 3172 wrote to memory of 1816 3172 rundll32.exe 90 PID 3172 wrote to memory of 1816 3172 rundll32.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe"C:\Users\Admin\AppData\Local\Temp\412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe"C:\Users\Admin\AppData\Local\Temp\412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe" --v2⤵PID:3184
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 6003⤵
- Program crash
PID:1000
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1816 -ip 18161⤵PID:3948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
557KB
MD5cb077166b5cc181bde4c2bb30d28a99a
SHA1800aab82a816e41ded59bc20cda364fa22dc0bcb
SHA25640f19665b2ae343aa3838226e3393e2816a58fbb16fa4d2a3da8c602f20c9f72
SHA512d1a9c9696f17e0ed3fe34996fef186c23ca9c0bb5cc1073a01bee88ca3d6a096dce61145f6339f88fd08fd4ac5d451105547a604c9a10fb373a78c6cf9df2811
-
Filesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6
-
Filesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6