Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
78s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2023, 05:35
Static task
static1
Behavioral task
behavioral1
Sample
c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe
Resource
win10v2004-20230220-en
General
-
Target
c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe
-
Size
308KB
-
MD5
3b32570cfc08329e3bf2624f727ead3f
-
SHA1
6f15ad55aab802e2c963c7d95d605cfd9e189ea3
-
SHA256
c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7
-
SHA512
9c380ea7111f6ebc335ddb5dd42b7f9b4ae32f93debfac83dfd544790fd644173b1b2d7685fb18801520eabc93fd3919b0c89d96519ed4bf0a2fec754fa5ebc8
-
SSDEEP
6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt18EP3:i814Xn0Ti8tbJyIQdjrfzmEP3
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 3228 rundll32.exe 41 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe -
Loads dropped DLL 1 IoCs
pid Process 4924 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3284 4924 WerFault.exe 88 -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4912 c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe 4912 c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe 3096 c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe 3096 c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4912 wrote to memory of 3096 4912 c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe 85 PID 4912 wrote to memory of 3096 4912 c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe 85 PID 4912 wrote to memory of 3096 4912 c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe 85 PID 2916 wrote to memory of 4924 2916 rundll32.exe 88 PID 2916 wrote to memory of 4924 2916 rundll32.exe 88 PID 2916 wrote to memory of 4924 2916 rundll32.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe"C:\Users\Admin\AppData\Local\Temp\c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe"C:\Users\Admin\AppData\Local\Temp\c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe" -h2⤵
- Suspicious use of SetWindowsHookEx
PID:3096
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
PID:4924 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 6003⤵
- Program crash
PID:3284
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4924 -ip 49241⤵PID:3668
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
557KB
MD5535677ceb05cbea48bc25b52a5c2da67
SHA152906724f2135086417fffb42a60cf6f0d55362d
SHA256c685c604b16270bb5417594aa58f7c532e617d21f61ffe683a03c387dbbddefc
SHA512c812b3612a00afffce17613629b72a6ac43a10f7ca69376c5e3dc87d1f60e6c38432ec73de74279c6e32ca20a47e8bbd23ef06fb7be50d46494701f1bcdcfb3b
-
Filesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6
-
Filesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6