Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2023, 08:09
Static task
static1
Behavioral task
behavioral1
Sample
purchase orders.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
purchase orders.exe
Resource
win10v2004-20231130-en
General
-
Target
purchase orders.exe
-
Size
407KB
-
MD5
e9f8fff3341f84d5f76570fd5068b8b5
-
SHA1
7daebfd9193ff0c4925523d470d71ff12d692f98
-
SHA256
86608bbc9a9aa6e01636680205ef421bc37aeff7312960a821989f1eea7b3540
-
SHA512
80fcd35320752592e7e163b5d50df19c01d061596bc411e0de7a666c156f28973b11fc8760c56a64382b22ddaf2c6aa05092ba1aba496970a0afcf7e6ed935ec
-
SSDEEP
12288:D9WEeYF2adf4qD7Wz+oHvu7oUgLCPj4tF2:D9WEeJhM35UUGAwU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3860 uxtaxvs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fnjsso = "C:\\Users\\Admin\\AppData\\Roaming\\yirrnwwgcclhhq\\aavf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\uxtaxvs.exe\" " uxtaxvs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3168 3860 WerFault.exe 20 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4604 wrote to memory of 3860 4604 purchase orders.exe 20 PID 4604 wrote to memory of 3860 4604 purchase orders.exe 20 PID 4604 wrote to memory of 3860 4604 purchase orders.exe 20 PID 3860 wrote to memory of 4860 3860 uxtaxvs.exe 30 PID 3860 wrote to memory of 4860 3860 uxtaxvs.exe 30 PID 3860 wrote to memory of 4860 3860 uxtaxvs.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\purchase orders.exe"C:\Users\Admin\AppData\Local\Temp\purchase orders.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe"C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe"C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe"3⤵PID:4860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 6803⤵
- Program crash
PID:3168
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3860 -ip 38601⤵PID:1188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
334KB
MD57e9a72d139878ecf2699b44f890e14b8
SHA123a55bd2a648fe65dc25356beb5be8c44d718147
SHA256545fed32d85fd13dee67e82dba632a2a8f54f7c9a101ef68136c457f5ad6b4e2
SHA512bc1d5687488fbff994ac89e149c0607fa02a129742536dd4939f8fc1a3c5815377d17d7c35d197a6b0eac423d44606b8d690ec49ac3dc5992763dc449b414331
-
Filesize
169KB
MD5c9fd2ae104aacc62a6d543db3bdf70b2
SHA14111132302640eaed75782acbe3541c73df03c3a
SHA25666da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df
SHA512706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa
-
Filesize
169KB
MD5c9fd2ae104aacc62a6d543db3bdf70b2
SHA14111132302640eaed75782acbe3541c73df03c3a
SHA25666da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df
SHA512706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa