Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 15:50
Static task
static1
Behavioral task
behavioral1
Sample
7a4200f2f3c210f3a24927b5d6fb61e2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7a4200f2f3c210f3a24927b5d6fb61e2.exe
Resource
win10v2004-20231215-en
General
-
Target
7a4200f2f3c210f3a24927b5d6fb61e2.exe
-
Size
87KB
-
MD5
7a4200f2f3c210f3a24927b5d6fb61e2
-
SHA1
f731e312af80f0cc6b73ae28b5431c83f52f8a37
-
SHA256
75feb7e282987ce9f4a072b4c32ad2b3313cc65206fcb1a1e04ef7194709d4e8
-
SHA512
aa03837c8d8ad68a5af0a5eb41148ffb0134113faf9cc92128f7d14892e5145713c690951920cf8312fdc0ab02f7535234c570b0f34a629d6e88dbdf14959d82
-
SSDEEP
768:6x39TEu51YZP9euPoUPlLx39TEu51YZP9euPoUPlDOdQC+NaH9K7lgiJ2SR7mcd7:6bsP9evUPBbsP9evUPBOfin
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1608 ntldr.exe 4060 ntldr.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ntldr.exe 7a4200f2f3c210f3a24927b5d6fb61e2.exe File created C:\Windows\SysWOW64\ntldr.exe 7a4200f2f3c210f3a24927b5d6fb61e2.exe File opened for modification C:\Windows\SysWOW64\RCXB575.tmp 7a4200f2f3c210f3a24927b5d6fb61e2.exe File opened for modification C:\Windows\SysWOW64\ntldr.exe ntldr.exe File created C:\Windows\SysWOW64\ntldr.exe ntldr.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3948 set thread context of 1920 3948 7a4200f2f3c210f3a24927b5d6fb61e2.exe 88 PID 1608 set thread context of 4060 1608 ntldr.exe 92 -
Program crash 2 IoCs
pid pid_target Process procid_target 3052 4060 WerFault.exe 92 2904 1920 WerFault.exe 88 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3948 wrote to memory of 1920 3948 7a4200f2f3c210f3a24927b5d6fb61e2.exe 88 PID 3948 wrote to memory of 1920 3948 7a4200f2f3c210f3a24927b5d6fb61e2.exe 88 PID 3948 wrote to memory of 1920 3948 7a4200f2f3c210f3a24927b5d6fb61e2.exe 88 PID 3948 wrote to memory of 1920 3948 7a4200f2f3c210f3a24927b5d6fb61e2.exe 88 PID 3948 wrote to memory of 1920 3948 7a4200f2f3c210f3a24927b5d6fb61e2.exe 88 PID 3948 wrote to memory of 1920 3948 7a4200f2f3c210f3a24927b5d6fb61e2.exe 88 PID 3948 wrote to memory of 1920 3948 7a4200f2f3c210f3a24927b5d6fb61e2.exe 88 PID 3948 wrote to memory of 1920 3948 7a4200f2f3c210f3a24927b5d6fb61e2.exe 88 PID 3948 wrote to memory of 1920 3948 7a4200f2f3c210f3a24927b5d6fb61e2.exe 88 PID 3948 wrote to memory of 1920 3948 7a4200f2f3c210f3a24927b5d6fb61e2.exe 88 PID 1920 wrote to memory of 1608 1920 7a4200f2f3c210f3a24927b5d6fb61e2.exe 89 PID 1920 wrote to memory of 1608 1920 7a4200f2f3c210f3a24927b5d6fb61e2.exe 89 PID 1920 wrote to memory of 1608 1920 7a4200f2f3c210f3a24927b5d6fb61e2.exe 89 PID 1608 wrote to memory of 4060 1608 ntldr.exe 92 PID 1608 wrote to memory of 4060 1608 ntldr.exe 92 PID 1608 wrote to memory of 4060 1608 ntldr.exe 92 PID 1608 wrote to memory of 4060 1608 ntldr.exe 92 PID 1608 wrote to memory of 4060 1608 ntldr.exe 92 PID 1608 wrote to memory of 4060 1608 ntldr.exe 92 PID 1608 wrote to memory of 4060 1608 ntldr.exe 92 PID 1608 wrote to memory of 4060 1608 ntldr.exe 92 PID 1608 wrote to memory of 4060 1608 ntldr.exe 92 PID 1608 wrote to memory of 4060 1608 ntldr.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a4200f2f3c210f3a24927b5d6fb61e2.exe"C:\Users\Admin\AppData\Local\Temp\7a4200f2f3c210f3a24927b5d6fb61e2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Users\Admin\AppData\Local\Temp\7a4200f2f3c210f3a24927b5d6fb61e2.exe"C:\Users\Admin\AppData\Local\Temp\7a4200f2f3c210f3a24927b5d6fb61e2.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\ntldr.exe"C:\Windows\system32\ntldr.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\ntldr.exe"C:\Windows\SysWOW64\ntldr.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 3605⤵
- Program crash
PID:3052
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 3203⤵
- Program crash
PID:2904
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4060 -ip 40601⤵PID:1264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1920 -ip 19201⤵PID:2156
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD57a4200f2f3c210f3a24927b5d6fb61e2
SHA1f731e312af80f0cc6b73ae28b5431c83f52f8a37
SHA25675feb7e282987ce9f4a072b4c32ad2b3313cc65206fcb1a1e04ef7194709d4e8
SHA512aa03837c8d8ad68a5af0a5eb41148ffb0134113faf9cc92128f7d14892e5145713c690951920cf8312fdc0ab02f7535234c570b0f34a629d6e88dbdf14959d82