Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

b7bb41cc45...fc.exe

windows7-x64

7

b7bb41cc45...fc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    134s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/11/2023, 19:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7bb41cc45beeeda3adf04ec2ccf000de0dcf8aa27910bd0630dce3f4295aefc.exe

  • Size

    2.0MB

  • MD5

    58eb1771504e5dc3fad0d7339c8ae1d8

  • SHA1

    29b8f05728ca59d82927458097edae84f82cfc5c

  • SHA256

    b7bb41cc45beeeda3adf04ec2ccf000de0dcf8aa27910bd0630dce3f4295aefc

  • SHA512

    5f9d5b8bdd9d26e6570b24f168b41d29326aefb201468890b8b1cfccaed166418c7c8e26bbf7bc9fc1bedd480b8783bdb474fbe0eae8a7c237a8c5a24b4a9133

  • SSDEEP

    49152:NSE8T6ifjz5uLN8J24pkypkkkXUzqnLnteAVD/Oo2TC33GdQLNR:0E8Frz88YkAV/yTaWaR

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Program crash 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7bb41cc45beeeda3adf04ec2ccf000de0dcf8aa27910bd0630dce3f4295aefc.exe
    "C:\Users\Admin\AppData\Local\Temp\b7bb41cc45beeeda3adf04ec2ccf000de0dcf8aa27910bd0630dce3f4295aefc.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 344
      2⤵
      • Program crash
      PID:1636
    • C:\Users\Admin\AppData\Local\Temp\b7bb41cc45beeeda3adf04ec2ccf000de0dcf8aa27910bd0630dce3f4295aefc.exe
      C:\Users\Admin\AppData\Local\Temp\b7bb41cc45beeeda3adf04ec2ccf000de0dcf8aa27910bd0630dce3f4295aefc.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:1424
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 344
        3⤵
        • Program crash
        PID:5008
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 636
        3⤵
        • Program crash
        PID:4796
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 632
        3⤵
        • Program crash
        PID:756
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 632
        3⤵
        • Program crash
        PID:5012
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 720
        3⤵
        • Program crash
        PID:2456
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 904
        3⤵
        • Program crash
        PID:3796
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1408
        3⤵
        • Program crash
        PID:3996
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1472
        3⤵
        • Program crash
        PID:4292
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1488
        3⤵
        • Program crash
        PID:1260
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1480
        3⤵
        • Program crash
        PID:4428
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1680
        3⤵
        • Program crash
        PID:3964
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1624 -ip 1624
    1⤵
      PID:4420
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1424 -ip 1424
      1⤵
        PID:4468
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1424 -ip 1424
        1⤵
          PID:1508
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1424 -ip 1424
          1⤵
            PID:4904
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1424 -ip 1424
            1⤵
              PID:804
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1424 -ip 1424
              1⤵
                PID:3912
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1424 -ip 1424
                1⤵
                  PID:2904
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1424 -ip 1424
                  1⤵
                    PID:1192
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1424 -ip 1424
                    1⤵
                      PID:3836
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1424 -ip 1424
                      1⤵
                        PID:60
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1424 -ip 1424
                        1⤵
                          PID:3416
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1424 -ip 1424
                          1⤵
                            PID:3972

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\b7bb41cc45beeeda3adf04ec2ccf000de0dcf8aa27910bd0630dce3f4295aefc.exe
                            Filesize

                            2.0MB

                            MD5

                            de8c9b9af4940b4766d791002f5bd380

                            SHA1

                            4663631b3a247885186c36be45ff27f1a6ea8bd7

                            SHA256

                            ad7e0a52e0a80959e6f48de829e0d82a7e4eff57f0c034d27e55dda2b8bcbb56

                            SHA512

                            6c79f0de20fc0bd9c3a544df747a0181f0bbd4a971f083994581430a9ede238589fd3a5e1b0ba06552511269e068cb544a4c1af6fdd93c81e5cb9924477c6040

                            Download Submit

                          • memory/1424-7-0x0000000000400000-0x0000000000503000-memory.dmp

                            Filesize

                            1.0MB

                            Download

                          • memory/1424-8-0x0000000005200000-0x0000000005303000-memory.dmp

                            Filesize

                            1.0MB

                            Download

                          • memory/1424-9-0x0000000000400000-0x00000000004B8000-memory.dmp

                            Filesize

                            736KB

                            Download

                          • memory/1424-18-0x0000000000400000-0x000000000044E000-memory.dmp

                            Filesize

                            312KB

                            Download

                          • memory/1424-20-0x000000000BA30000-0x000000000BAE8000-memory.dmp

                            Filesize

                            736KB

                            Download

                          • memory/1624-0-0x0000000000400000-0x0000000000503000-memory.dmp

                            Filesize

                            1.0MB

                            Download

                          • memory/1624-6-0x0000000000400000-0x0000000000503000-memory.dmp

                            Filesize

                            1.0MB

                            Download