Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
158s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2023, 13:17
Static task
static1
Behavioral task
behavioral1
Sample
9e026042beea2469af4b31301fe94a72.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9e026042beea2469af4b31301fe94a72.exe
Resource
win10v2004-20231215-en
General
-
Target
9e026042beea2469af4b31301fe94a72.exe
-
Size
2.0MB
-
MD5
9e026042beea2469af4b31301fe94a72
-
SHA1
7363a0224c9d4498952cbd8c122f7729837e2bbb
-
SHA256
50956c28d06ae321e79482964bce864bb07c552241017cb152a69c8078fea18c
-
SHA512
e28861396f6d0f274fbad21ca382dc0a7b039a3a5370f1cc12ef12b61d6b7f2561bd45535666c225f1b368542d0815ffe4abbfa9a6b5c732760234d4e948a690
-
SSDEEP
49152:2Syg4ubqAus098gygLHgpoQnB+UU6agyg:UgVMsk8oQnfU
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4792 9e026042beea2469af4b31301fe94a72.exe -
Executes dropped EXE 1 IoCs
pid Process 4792 9e026042beea2469af4b31301fe94a72.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Program crash 13 IoCs
pid pid_target Process procid_target 2344 464 WerFault.exe 87 1732 4792 WerFault.exe 95 2988 4792 WerFault.exe 95 908 4792 WerFault.exe 95 364 4792 WerFault.exe 95 2124 4792 WerFault.exe 95 1856 4792 WerFault.exe 95 1620 4792 WerFault.exe 95 3640 4792 WerFault.exe 95 2528 4792 WerFault.exe 95 4912 4792 WerFault.exe 95 3616 4792 WerFault.exe 95 1488 4792 WerFault.exe 95 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4792 9e026042beea2469af4b31301fe94a72.exe 4792 9e026042beea2469af4b31301fe94a72.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 464 9e026042beea2469af4b31301fe94a72.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 4792 9e026042beea2469af4b31301fe94a72.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 464 wrote to memory of 4792 464 9e026042beea2469af4b31301fe94a72.exe 95 PID 464 wrote to memory of 4792 464 9e026042beea2469af4b31301fe94a72.exe 95 PID 464 wrote to memory of 4792 464 9e026042beea2469af4b31301fe94a72.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e026042beea2469af4b31301fe94a72.exe"C:\Users\Admin\AppData\Local\Temp\9e026042beea2469af4b31301fe94a72.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 3442⤵
- Program crash
PID:2344
-
-
C:\Users\Admin\AppData\Local\Temp\9e026042beea2469af4b31301fe94a72.exeC:\Users\Admin\AppData\Local\Temp\9e026042beea2469af4b31301fe94a72.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:4792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 3443⤵
- Program crash
PID:1732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 6363⤵
- Program crash
PID:2988
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 6523⤵
- Program crash
PID:908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 6643⤵
- Program crash
PID:364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 7203⤵
- Program crash
PID:2124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 9043⤵
- Program crash
PID:1856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 13963⤵
- Program crash
PID:1620
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 14403⤵
- Program crash
PID:3640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 14923⤵
- Program crash
PID:2528
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 15163⤵
- Program crash
PID:4912
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 16643⤵
- Program crash
PID:3616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 16843⤵
- Program crash
PID:1488
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 464 -ip 4641⤵PID:4972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4792 -ip 47921⤵PID:3612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4792 -ip 47921⤵PID:4140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4792 -ip 47921⤵PID:4896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4792 -ip 47921⤵PID:1816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4792 -ip 47921⤵PID:3616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4792 -ip 47921⤵PID:4388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4792 -ip 47921⤵PID:4100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4792 -ip 47921⤵PID:3016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4792 -ip 47921⤵PID:3636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4792 -ip 47921⤵PID:1940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4792 -ip 47921⤵PID:4744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4792 -ip 47921⤵PID:4156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5af2492d83d3ad4b6d71c6ed69b4804f2
SHA148137291556bc1bff2987331226ab668e2d055fa
SHA2561f5c86c21c23b605b71bfbaaf591b50f60f07b6e9b1b31e93b90c0d74cd31b6b
SHA512911d37d9c1712c200371ac79122cd77bd5e55682082752cc8929dfec9731c3df24b8bfa5b0c4bc7fe0df9d0b881b28883be84732a4ba89b41b513e48d226bfff