Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
941s -
max time network
512s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
21/04/2023, 04:06
Static task
static1
Behavioral task
behavioral1
Sample
CaveCrawler.zip
Resource
win10v2004-20230221-en
General
-
Target
CaveCrawler.zip
-
Size
719.9MB
-
MD5
aab2dec1413b10bba626678299e823ea
-
SHA1
a4f78cf18bcafc6e373594cbe2a3cb755f517f07
-
SHA256
d782574a27892f6b0ecde29477a872fbca28b99b36e4e5f8aaef14574f80d1f3
-
SHA512
33f3284523582ec3fdeaf37cb90046696b2588c056bed1e0b407cca02ff187d648815f0dd3d20cfefca4920e261c4f9642c4ce2bdfad79f349ebec5fd69466fd
-
SSDEEP
12582912:mcFTzmyOVs4rDtiXii1aNwDDmlegru0a32QwL6aidT:bzm5VWXH1aNwDDmVrKLwGZ
Malware Config
Signatures
-
Program crash 4 IoCs
pid pid_target Process procid_target 2696 912 WerFault.exe 102 3724 452 WerFault.exe 108 3368 3664 WerFault.exe 119 368 3020 WerFault.exe 124 -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1560 CaveCrawler.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 912 CaveCrawler.exe 452 CaveCrawler.exe 1560 CaveCrawler.exe 3664 CaveCrawler.exe 3664 CaveCrawler.exe 4076 CaveCrawler.exe 3316 CaveCrawler.exe 3020 CaveCrawler.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4540 wrote to memory of 452 4540 CaveCrawler.console.exe 108 PID 4540 wrote to memory of 452 4540 CaveCrawler.console.exe 108 PID 2360 wrote to memory of 3664 2360 cmd.exe 119 PID 2360 wrote to memory of 3664 2360 cmd.exe 119 PID 2360 wrote to memory of 4076 2360 cmd.exe 122 PID 2360 wrote to memory of 4076 2360 cmd.exe 122 PID 2360 wrote to memory of 3316 2360 cmd.exe 123 PID 2360 wrote to memory of 3316 2360 cmd.exe 123 PID 2360 wrote to memory of 3020 2360 cmd.exe 124 PID 2360 wrote to memory of 3020 2360 cmd.exe 124
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\CaveCrawler.zip1⤵PID:4268
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2076
-
C:\Users\Admin\Desktop\CaveCrawler\CaveCrawler.exe"C:\Users\Admin\Desktop\CaveCrawler\CaveCrawler.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:912 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 912 -s 12642⤵
- Program crash
PID:2696
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 412 -p 912 -ip 9121⤵PID:1356
-
C:\Users\Admin\Desktop\CaveCrawler\CaveCrawler.console.exe"C:\Users\Admin\Desktop\CaveCrawler\CaveCrawler.console.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Users\Admin\Desktop\CaveCrawler\CaveCrawler.exeC:\Users\Admin\Desktop\CaveCrawler\CaveCrawler.exe2⤵
- Suspicious use of SetWindowsHookEx
PID:452 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 452 -s 5283⤵
- Program crash
PID:3724
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 452 -ip 4521⤵PID:3572
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\Desktop\CaveCrawler\CaveCrawler.exe"CaveCrawler.exe" --rendering-driver opengl32⤵
- Suspicious use of SetWindowsHookEx
PID:3664 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3664 -s 5323⤵
- Program crash
PID:3368
-
-
-
C:\Users\Admin\Desktop\CaveCrawler\CaveCrawler.exe"CaveCrawler.exe" --rendering-driver opengl22⤵
- Suspicious use of SetWindowsHookEx
PID:4076
-
-
C:\Users\Admin\Desktop\CaveCrawler\CaveCrawler.exe"CaveCrawler.exe" --rendering-driver dummy2⤵
- Suspicious use of SetWindowsHookEx
PID:3316
-
-
C:\Users\Admin\Desktop\CaveCrawler\CaveCrawler.exe"CaveCrawler.exe" --rendering-driver vulkan2⤵
- Suspicious use of SetWindowsHookEx
PID:3020 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3020 -s 5003⤵
- Program crash
PID:368
-
-
-
C:\Users\Admin\Desktop\CaveCrawler\CaveCrawler.exe"C:\Users\Admin\Desktop\CaveCrawler\CaveCrawler.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1560
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 532 -p 3664 -ip 36641⤵PID:912
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 3020 -ip 30201⤵PID:820
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72B
MD557d9cb299b237cf81a5181614aac87b1
SHA1a6ccd0fdd593486de84d9050adf2867b4d6b4fc7
SHA256aa5ae00daaae6a17247d9e07f3ef5f0b411836a3da4665161de9bcf73fd51eef
SHA512f38eef2cc059b3d5bc19bb044e0a5bbf7a536f7416b51816bb6e170416962cafb23d6f3cbcf5de2767f7095ee08abc7ecbb7640bd1a7c097f5fa8863a785da35
-
Filesize
179B
MD531fd3165b0d98fd6142a4c2a2ad4a9f8
SHA171af12c38a69e486a9286558e4572a978cee72c8
SHA2566f8ebd5c0ac62bfc4fc14fb4228ba527eaf5a1d194bd347b1f2ff55d3f20daae
SHA5125ee04b4d1e6e774270719d8195a8a069278177e63fc97f5bb295b1fc1fdc0a1152ab7b2420f6614b5892eb335b529f483660f8b65ba6fee7ede6d4e7596b6f91
-
Filesize
179B
MD531fd3165b0d98fd6142a4c2a2ad4a9f8
SHA171af12c38a69e486a9286558e4572a978cee72c8
SHA2566f8ebd5c0ac62bfc4fc14fb4228ba527eaf5a1d194bd347b1f2ff55d3f20daae
SHA5125ee04b4d1e6e774270719d8195a8a069278177e63fc97f5bb295b1fc1fdc0a1152ab7b2420f6614b5892eb335b529f483660f8b65ba6fee7ede6d4e7596b6f91
-
Filesize
179B
MD531fd3165b0d98fd6142a4c2a2ad4a9f8
SHA171af12c38a69e486a9286558e4572a978cee72c8
SHA2566f8ebd5c0ac62bfc4fc14fb4228ba527eaf5a1d194bd347b1f2ff55d3f20daae
SHA5125ee04b4d1e6e774270719d8195a8a069278177e63fc97f5bb295b1fc1fdc0a1152ab7b2420f6614b5892eb335b529f483660f8b65ba6fee7ede6d4e7596b6f91