Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
27s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
08/07/2023, 17:56
Behavioral task
behavioral1
Sample
5e8c7a00e9e378exeexeexeex.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
5e8c7a00e9e378exeexeexeex.exe
Resource
win10v2004-20230703-en
General
-
Target
5e8c7a00e9e378exeexeexeex.exe
-
Size
70KB
-
MD5
5e8c7a00e9e378f5971595f71be27ae9
-
SHA1
f22dc83431cf3b1cebc123266a4b1631c324907c
-
SHA256
970135a6cb6d6916ea2b31ceef2cf5df733deaebc95d3e7cc41be2a2b6d386e1
-
SHA512
7b6eb68fb7fa87388edd1ecbeeb6d819307a1d4529cf598a94776a97050de60af3a9bf5d0015c62d1f3b5d563131ee165bef98ef17ef09375dad6dc1aef1f1dc
-
SSDEEP
1536:WZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:Fd5BJHMqqDL2/OvvdrH
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 5e8c7a00e9e378exeexeexeex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fltfkttwqvx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5e8c7a00e9e378exeexeexeex.exe" 5e8c7a00e9e378exeexeexeex.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\R: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\T: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\V: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\M: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\K: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\P: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\S: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\J: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\L: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\O: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\X: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\B: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\E: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\F: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\G: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\H: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\I: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\Q: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\U: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\A: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\Y: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\Z: 5e8c7a00e9e378exeexeexeex.exe File opened (read-only) \??\W: 5e8c7a00e9e378exeexeexeex.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2884 2332 WerFault.exe 27 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5e8c7a00e9e378exeexeexeex.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5e8c7a00e9e378exeexeexeex.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 5e8c7a00e9e378exeexeexeex.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2332 5e8c7a00e9e378exeexeexeex.exe 2332 5e8c7a00e9e378exeexeexeex.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2884 2332 5e8c7a00e9e378exeexeexeex.exe 29 PID 2332 wrote to memory of 2884 2332 5e8c7a00e9e378exeexeexeex.exe 29 PID 2332 wrote to memory of 2884 2332 5e8c7a00e9e378exeexeexeex.exe 29 PID 2332 wrote to memory of 2884 2332 5e8c7a00e9e378exeexeexeex.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e8c7a00e9e378exeexeexeex.exe"C:\Users\Admin\AppData\Local\Temp\5e8c7a00e9e378exeexeexeex.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 5082⤵
- Program crash
PID:2884
-