Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

9e026042be...72.exe

windows7-x64

7

9e026042be...72.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    158s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2023, 13:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e026042beea2469af4b31301fe94a72.exe

  • Size

    2.0MB

  • MD5

    9e026042beea2469af4b31301fe94a72

  • SHA1

    7363a0224c9d4498952cbd8c122f7729837e2bbb

  • SHA256

    50956c28d06ae321e79482964bce864bb07c552241017cb152a69c8078fea18c

  • SHA512

    e28861396f6d0f274fbad21ca382dc0a7b039a3a5370f1cc12ef12b61d6b7f2561bd45535666c225f1b368542d0815ffe4abbfa9a6b5c732760234d4e948a690

  • SSDEEP

    49152:2Syg4ubqAus098gygLHgpoQnB+UU6agyg:UgVMsk8oQnfU

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Program crash 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e026042beea2469af4b31301fe94a72.exe
    "C:\Users\Admin\AppData\Local\Temp\9e026042beea2469af4b31301fe94a72.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:464
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 344
      2⤵
      • Program crash
      PID:2344
    • C:\Users\Admin\AppData\Local\Temp\9e026042beea2469af4b31301fe94a72.exe
      C:\Users\Admin\AppData\Local\Temp\9e026042beea2469af4b31301fe94a72.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:4792
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 344
        3⤵
        • Program crash
        PID:1732
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 636
        3⤵
        • Program crash
        PID:2988
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 652
        3⤵
        • Program crash
        PID:908
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 664
        3⤵
        • Program crash
        PID:364
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 720
        3⤵
        • Program crash
        PID:2124
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 904
        3⤵
        • Program crash
        PID:1856
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1396
        3⤵
        • Program crash
        PID:1620
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1440
        3⤵
        • Program crash
        PID:3640
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1492
        3⤵
        • Program crash
        PID:2528
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1516
        3⤵
        • Program crash
        PID:4912
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1664
        3⤵
        • Program crash
        PID:3616
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1684
        3⤵
        • Program crash
        PID:1488
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 464 -ip 464
    1⤵
      PID:4972
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4792 -ip 4792
      1⤵
        PID:3612
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4792 -ip 4792
        1⤵
          PID:4140
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4792 -ip 4792
          1⤵
            PID:4896
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4792 -ip 4792
            1⤵
              PID:1816
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4792 -ip 4792
              1⤵
                PID:3616
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4792 -ip 4792
                1⤵
                  PID:4388
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4792 -ip 4792
                  1⤵
                    PID:4100
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4792 -ip 4792
                    1⤵
                      PID:3016
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4792 -ip 4792
                      1⤵
                        PID:3636
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4792 -ip 4792
                        1⤵
                          PID:1940
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4792 -ip 4792
                          1⤵
                            PID:4744
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4792 -ip 4792
                            1⤵
                              PID:4156

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\9e026042beea2469af4b31301fe94a72.exe
                              Filesize

                              1.2MB

                              MD5

                              af2492d83d3ad4b6d71c6ed69b4804f2

                              SHA1

                              48137291556bc1bff2987331226ab668e2d055fa

                              SHA256

                              1f5c86c21c23b605b71bfbaaf591b50f60f07b6e9b1b31e93b90c0d74cd31b6b

                              SHA512

                              911d37d9c1712c200371ac79122cd77bd5e55682082752cc8929dfec9731c3df24b8bfa5b0c4bc7fe0df9d0b881b28883be84732a4ba89b41b513e48d226bfff

                              Download Submit

                            • memory/464-0-0x0000000000400000-0x000000000050D000-memory.dmp

                              Filesize

                              1.1MB

                              Download

                            • memory/464-6-0x0000000000400000-0x000000000050D000-memory.dmp

                              Filesize

                              1.1MB

                              Download

                            • memory/4792-7-0x0000000000400000-0x000000000050D000-memory.dmp

                              Filesize

                              1.1MB

                              Download

                            • memory/4792-8-0x0000000004FA0000-0x00000000050AD000-memory.dmp

                              Filesize

                              1.1MB

                              Download

                            • memory/4792-9-0x0000000000400000-0x00000000004A3000-memory.dmp

                              Filesize

                              652KB

                              Download

                            • memory/4792-19-0x000000000B9D0000-0x000000000BA73000-memory.dmp

                              Filesize

                              652KB

                              Download

                            • memory/4792-18-0x0000000000400000-0x0000000000443000-memory.dmp

                              Filesize

                              268KB

                              Download