Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 03:57

General

  • Target

    0da29bfbd08da68ac09090ea8ca4a696.exe

  • Size

    400KB

  • MD5

    0da29bfbd08da68ac09090ea8ca4a696

  • SHA1

    46eddfc24b6c84a2faf24419f887694822d0663d

  • SHA256

    fe0789979551b216bcab3c67ae48392f0a4eefc0b6f0714eb86a7143cf395134

  • SHA512

    07b055977b19dac5e3be492873b74112bbc747e1575106d14e3d65cfb4020faae8a48710b250f03e4b9320d9bcd9953dd49f8bb9f15b98eca521c0973aeb8428

  • SSDEEP

    12288:KXGG4Qsmz6vsgtnkgFYjXAmSW2CaXkgLNH:KWjvJhkgmb30XdH

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0da29bfbd08da68ac09090ea8ca4a696.exe
    "C:\Users\Admin\AppData\Local\Temp\0da29bfbd08da68ac09090ea8ca4a696.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 672
      2⤵
      • Program crash
      PID:2148
    • C:\ProgramData\mI42900LjDfP42900\mI42900LjDfP42900.exe
      "C:\ProgramData\mI42900LjDfP42900\mI42900LjDfP42900.exe" "C:\Users\Admin\AppData\Local\Temp\0da29bfbd08da68ac09090ea8ca4a696.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3552
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 668
        3⤵
        • Program crash
        PID:1564
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4608 -ip 4608
    1⤵
      PID:4372
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3552 -ip 3552
      1⤵
        PID:968

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\mI42900LjDfP42900\mI42900LjDfP42900.exe

        Filesize

        400KB

        MD5

        38ba13aa8055077616f5665aa21febef

        SHA1

        7d47a094cd257c35b3518a6617b2f1f70e4d7a81

        SHA256

        f939c13afd59e9157ffd005aee85462b8468ed357e709fe39f50eccd750d1bfb

        SHA512

        a534865e78274d4440f50c731d067e148dbebb9cfc29481bf38fa1152fb71823d8495a88809e467d74367bd6ad0bccf289a134f76d81492c3ca8dff20f1dd140

      • memory/3552-19-0x0000000000400000-0x00000000004C0000-memory.dmp

        Filesize

        768KB

      • memory/3552-22-0x0000000000400000-0x00000000004C0000-memory.dmp

        Filesize

        768KB

      • memory/3552-29-0x0000000000400000-0x00000000004C0000-memory.dmp

        Filesize

        768KB

      • memory/4608-0-0x0000000000640000-0x0000000000643000-memory.dmp

        Filesize

        12KB

      • memory/4608-6-0x0000000000400000-0x00000000004C0000-memory.dmp

        Filesize

        768KB

      • memory/4608-12-0x0000000000400000-0x00000000004C0000-memory.dmp

        Filesize

        768KB