Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
78s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
06/03/2023, 05:35
General
-
Target
c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe
-
Size
308KB
-
MD5
3b32570cfc08329e3bf2624f727ead3f
-
SHA1
6f15ad55aab802e2c963c7d95d605cfd9e189ea3
-
SHA256
c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7
-
SHA512
9c380ea7111f6ebc335ddb5dd42b7f9b4ae32f93debfac83dfd544790fd644173b1b2d7685fb18801520eabc93fd3919b0c89d96519ed4bf0a2fec754fa5ebc8
-
SSDEEP
6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt18EP3:i814Xn0Ti8tbJyIQdjrfzmEP3
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe"C:\Users\Admin\AppData\Local\Temp\c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe"C:\Users\Admin\AppData\Local\Temp\c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7.exe" -h2⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 6003⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4924 -ip 49241⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
557KB
MD5535677ceb05cbea48bc25b52a5c2da67
SHA152906724f2135086417fffb42a60cf6f0d55362d
SHA256c685c604b16270bb5417594aa58f7c532e617d21f61ffe683a03c387dbbddefc
SHA512c812b3612a00afffce17613629b72a6ac43a10f7ca69376c5e3dc87d1f60e6c38432ec73de74279c6e32ca20a47e8bbd23ef06fb7be50d46494701f1bcdcfb3b
-
Filesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6
-
Filesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6