Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2023, 12:07

General

  • Target

    8afc556fe140562dd935372ebef6b31b.exe

  • Size

    3.9MB

  • MD5

    8afc556fe140562dd935372ebef6b31b

  • SHA1

    beea218fe81d1afdeafb3de2bd1b5f4873f73bce

  • SHA256

    7a49ee804b6280b6895f21c33b02ed8e01f6296350a67840f591d6a540d37e96

  • SHA512

    e11befde24a241e640e8b1276c11990e30cbada013a89cde927667670527e028423b8380e8434d4f5759f285134c6f562c178c2f796c0a4c3c815d7141518fc0

  • SSDEEP

    98304:Byow00q/5cakcibiqhMbMgOn7n0bcakcibiqh9zEdfTbl9PRcakcibiqhMbMgOn1:cow0LdlirybMgOnkdlirnzE9TPPRdlix

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Program crash 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8afc556fe140562dd935372ebef6b31b.exe
    "C:\Users\Admin\AppData\Local\Temp\8afc556fe140562dd935372ebef6b31b.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:4148
    • C:\Users\Admin\AppData\Local\Temp\8afc556fe140562dd935372ebef6b31b.exe
      C:\Users\Admin\AppData\Local\Temp\8afc556fe140562dd935372ebef6b31b.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\8afc556fe140562dd935372ebef6b31b.exe" /TN EftJtVnu5bdb /F
        3⤵
        • Creates scheduled task(s)
        PID:3720
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c schtasks.exe /Query /XML /TN EftJtVnu5bdb > C:\Users\Admin\AppData\Local\Temp\9Co0Udj.xml
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:800
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Query /XML /TN EftJtVnu5bdb
          4⤵
            PID:3948
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 616
          3⤵
          • Program crash
          PID:4868
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 604
          3⤵
          • Program crash
          PID:2364
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1008
          3⤵
          • Program crash
          PID:4956
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5040 -ip 5040
      1⤵
        PID:2856
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5040 -ip 5040
        1⤵
          PID:1936
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5040 -ip 5040
          1⤵
            PID:2184

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\8afc556fe140562dd935372ebef6b31b.exe

            Filesize

            203KB

            MD5

            6849ad2e88ab1e9fb814600416cd2e0e

            SHA1

            8800581c50d6cecaf750423a58c0dba9867845b3

            SHA256

            48f0d46308ad72445aa657d3ad0219d4eefd6bd8af9ed3e8406a48d6054a0024

            SHA512

            d861b049e8c61256b48f56b2d0d8b5299bec41bb7a0c8ae1fc2801de9080433e7c38fa26bb28311fbf0067b011298e5232a8f446f69f5f65d100866e655e2177

          • C:\Users\Admin\AppData\Local\Temp\9Co0Udj.xml

            Filesize

            1KB

            MD5

            4597c34611d4d40a6eff0a617f0ae21c

            SHA1

            b2db33e8b547aa38bba48907b8adaf97397cf15d

            SHA256

            7227e6595342d7e49386a6ff34a26994421cc31a4475c43d809fdcb0df6275f1

            SHA512

            0340c929306b3ebc246ab3de28a1ce4e92556dd2c379f01838e5e0780d70f62f828f64fb3163e229bb60a5a2771cde0962f6d1faffadf07a80e2e4ae80598cac

          • memory/4148-0-0x0000000000400000-0x000000000065C000-memory.dmp

            Filesize

            2.4MB

          • memory/4148-1-0x0000000000400000-0x000000000046B000-memory.dmp

            Filesize

            428KB

          • memory/4148-3-0x0000000001750000-0x00000000017CE000-memory.dmp

            Filesize

            504KB

          • memory/4148-15-0x0000000000400000-0x000000000046B000-memory.dmp

            Filesize

            428KB

          • memory/5040-14-0x0000000000400000-0x000000000065C000-memory.dmp

            Filesize

            2.4MB

          • memory/5040-17-0x0000000024FE0000-0x000000002505E000-memory.dmp

            Filesize

            504KB

          • memory/5040-23-0x0000000000470000-0x00000000004DB000-memory.dmp

            Filesize

            428KB

          • memory/5040-24-0x0000000000400000-0x000000000045B000-memory.dmp

            Filesize

            364KB

          • memory/5040-42-0x0000000000400000-0x000000000065C000-memory.dmp

            Filesize

            2.4MB