Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
35s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 12:05
Behavioral task
behavioral1
Sample
ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe
Resource
win10v2004-20230915-en
General
-
Target
ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe
-
Size
6.0MB
-
MD5
f4ab1b42d214bf08b07e1678eaa91aaf
-
SHA1
dc74a1ed442abf0f2e7cc7f1b0d1ea88ed8350a0
-
SHA256
ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264
-
SHA512
15fc6384631cf97b3a2d8c9e314867206b6e0e6859a49df661da663782e1ae78c812ea707ddf26930faa5f452f01f70ddebfb51b749542b7c8879ff373685ad9
-
SSDEEP
98304:SCt1JY9zA6L+d9ggTr5oCQn+ae4lPI7TCXAFRab/6/k4z/xZXIVdbs2I:Sw1J0zApqar5o+NzCXcRaT6/k4zxZYV+
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1400-0-0x0000000000400000-0x000000000193F000-memory.dmp upx behavioral2/memory/1400-1-0x0000000003BB0000-0x0000000003BD6000-memory.dmp upx behavioral2/memory/1400-2-0x0000000003BB0000-0x0000000003BD6000-memory.dmp upx behavioral2/memory/1400-5-0x0000000003BB0000-0x0000000003BD6000-memory.dmp upx behavioral2/memory/1400-7-0x0000000003BB0000-0x0000000003BD6000-memory.dmp upx behavioral2/memory/1400-9-0x0000000003BB0000-0x0000000003BD6000-memory.dmp upx behavioral2/memory/1400-12-0x0000000003BB0000-0x0000000003BD6000-memory.dmp upx behavioral2/memory/1400-13-0x0000000003BB0000-0x0000000003BD6000-memory.dmp upx behavioral2/memory/1400-11-0x0000000003BB0000-0x0000000003BD6000-memory.dmp upx behavioral2/memory/1400-18-0x0000000000400000-0x000000000193F000-memory.dmp upx behavioral2/memory/1400-19-0x0000000000400000-0x000000000193F000-memory.dmp upx behavioral2/memory/1400-24-0x0000000000400000-0x000000000193F000-memory.dmp upx behavioral2/memory/1400-29-0x0000000000400000-0x000000000193F000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 2472 1400 WerFault.exe 81 -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 992 systeminfo.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1400 ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe 1400 ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe 1400 ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1400 wrote to memory of 3952 1400 ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe 88 PID 1400 wrote to memory of 3952 1400 ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe 88 PID 1400 wrote to memory of 3952 1400 ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe 88 PID 3952 wrote to memory of 992 3952 cmd.exe 90 PID 3952 wrote to memory of 992 3952 cmd.exe 90 PID 3952 wrote to memory of 992 3952 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe"C:\Users\Admin\AppData\Local\Temp\ff2c31d7ff4d0d36fbe7920948462cba68a8f68a8972471eb20799fd4f219264.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\cmd.execmd /c systeminfo > "C:\Users\Admin\AppData\Local\Temp\\systeminfo.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:992
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 10442⤵
- Program crash
PID:2472
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1400 -ip 14001⤵PID:4532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD509ef3b742f342dff83d3e634dd3016d2
SHA1d4af43f0603b7524e7594e224b8c92e853f1bf68
SHA25646edfb76d88988617a36d2521a8c0a7c2a23346538c11be0dda2e71a51ebbdb6
SHA512a9f237614c9736bb29094abc01e48ef38548b3d1f33657d70ef97935f8dddb507863a5c0be1c61a9e8c60636a81e63c9b28d7a9c2d955e4801c78ddd7e57ea70