Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28/05/2023, 17:50
Behavioral task
behavioral1
Sample
01964799.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
01964799.exe
Resource
win10v2004-20230220-en
General
-
Target
01964799.exe
-
Size
70KB
-
MD5
9870a05fff62808bbc56b9556b3dbc3c
-
SHA1
16bea3c63ea9ec8ca3560a66f83bfba402960a9e
-
SHA256
d0aed6f8fbdfef9c66fe74e2870b203063b2498a18692d16d6c3ffbd672ea553
-
SHA512
ccea18f7b1926de95d5053de814d9b3a00fdd5705e87d3c1dbaeb02d6dab90ce74f9e9fdabcda5875cce26f86560bce1177c7b618eb3a18e293addb918c4cea3
-
SSDEEP
1536:LZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:Kd5BJHMqqDL2/OvvdrH
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 01964799.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vmcjtvcetvv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\01964799.exe" 01964799.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: 01964799.exe File opened (read-only) \??\Z: 01964799.exe File opened (read-only) \??\F: 01964799.exe File opened (read-only) \??\G: 01964799.exe File opened (read-only) \??\I: 01964799.exe File opened (read-only) \??\N: 01964799.exe File opened (read-only) \??\O: 01964799.exe File opened (read-only) \??\Q: 01964799.exe File opened (read-only) \??\A: 01964799.exe File opened (read-only) \??\J: 01964799.exe File opened (read-only) \??\K: 01964799.exe File opened (read-only) \??\L: 01964799.exe File opened (read-only) \??\M: 01964799.exe File opened (read-only) \??\B: 01964799.exe File opened (read-only) \??\R: 01964799.exe File opened (read-only) \??\T: 01964799.exe File opened (read-only) \??\X: 01964799.exe File opened (read-only) \??\Y: 01964799.exe File opened (read-only) \??\W: 01964799.exe File opened (read-only) \??\E: 01964799.exe File opened (read-only) \??\H: 01964799.exe File opened (read-only) \??\S: 01964799.exe File opened (read-only) \??\U: 01964799.exe File opened (read-only) \??\V: 01964799.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 524 1308 WerFault.exe 27 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 01964799.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 01964799.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 01964799.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1308 01964799.exe 1308 01964799.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1308 wrote to memory of 524 1308 01964799.exe 30 PID 1308 wrote to memory of 524 1308 01964799.exe 30 PID 1308 wrote to memory of 524 1308 01964799.exe 30 PID 1308 wrote to memory of 524 1308 01964799.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\01964799.exe"C:\Users\Admin\AppData\Local\Temp\01964799.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 7042⤵
- Program crash
PID:524
-