Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2023, 22:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ffb5e1089873e7f4f9e9976e927c2503.exe
Resource
win7-20230831-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
ffb5e1089873e7f4f9e9976e927c2503.exe
Resource
win10v2004-20230915-en
5 signatures
150 seconds
General
-
Target
ffb5e1089873e7f4f9e9976e927c2503.exe
-
Size
2.1MB
-
MD5
ffb5e1089873e7f4f9e9976e927c2503
-
SHA1
d57fc95b852ba68ad7fe44a768a8cd2879424e6f
-
SHA256
65a68201d9709f5f3d07fe60b0b693983e2480197b6d9f570b6e78e49deade24
-
SHA512
3b462c2728868408542527ae8b5de5844825bd11ef3884e361b17d8eef860f37f8b3f6a69e22cce22d2588d5123b3cabf39ebb0626c55f5383f153aa73cf6f40
-
SSDEEP
24576:5P+HSWxc52h9AWkdsHbf6a9DhvhcuoORqZFB8ju:N52h9AqHr6a3veuoO8FBp
Score
6/10
Malware Config
Signatures
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 352 set thread context of 4488 352 ffb5e1089873e7f4f9e9976e927c2503.exe 85 -
Program crash 1 IoCs
pid pid_target Process procid_target 4828 352 WerFault.exe 81 -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe 4488 AppLaunch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 352 wrote to memory of 4488 352 ffb5e1089873e7f4f9e9976e927c2503.exe 85 PID 352 wrote to memory of 4488 352 ffb5e1089873e7f4f9e9976e927c2503.exe 85 PID 352 wrote to memory of 4488 352 ffb5e1089873e7f4f9e9976e927c2503.exe 85 PID 352 wrote to memory of 4488 352 ffb5e1089873e7f4f9e9976e927c2503.exe 85 PID 352 wrote to memory of 4488 352 ffb5e1089873e7f4f9e9976e927c2503.exe 85 PID 352 wrote to memory of 4488 352 ffb5e1089873e7f4f9e9976e927c2503.exe 85 PID 352 wrote to memory of 4488 352 ffb5e1089873e7f4f9e9976e927c2503.exe 85 PID 352 wrote to memory of 4488 352 ffb5e1089873e7f4f9e9976e927c2503.exe 85 PID 352 wrote to memory of 4488 352 ffb5e1089873e7f4f9e9976e927c2503.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffb5e1089873e7f4f9e9976e927c2503.exe"C:\Users\Admin\AppData\Local\Temp\ffb5e1089873e7f4f9e9976e927c2503.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 352 -s 3882⤵
- Program crash
PID:4828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 352 -ip 3521⤵PID:32