Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 04:24
Static task
static1
Behavioral task
behavioral1
Sample
280841448a492e94b1c01f7505d163de.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
280841448a492e94b1c01f7505d163de.exe
Resource
win10v2004-20231215-en
General
-
Target
280841448a492e94b1c01f7505d163de.exe
-
Size
649KB
-
MD5
280841448a492e94b1c01f7505d163de
-
SHA1
1a468c2cba5ceef684ea4f9bdbc1682a5124370b
-
SHA256
ec6db6613575c19945f4e1ff6d90ecfbb1ab34cbdd30c2d429d86fd132bd557a
-
SHA512
81d85f6b7fdbce73e22212d84d5eb47aefd47b52c94d4090d365e9f8eb5b7a00f2b833f0f23606bc150d700d19455b9cbddc23a0d802d203912afc904a3e220c
-
SSDEEP
12288:FHyhPBDgO6dsx4tSZvqT4OWADF3Z4mxxfDqVTVOCZvOf:FHyngO4tSZvq1QmXeVTz8f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5052 3_lh.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"F:\\msdownld.tmp\\IXP000.TMP\\\"" 280841448a492e94b1c01f7505d163de.exe -
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: 280841448a492e94b1c01f7505d163de.exe File opened (read-only) \??\B: 280841448a492e94b1c01f7505d163de.exe File opened (read-only) \??\E: 280841448a492e94b1c01f7505d163de.exe -
Program crash 1 IoCs
pid pid_target Process 4728 5052 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2536 wrote to memory of 5052 2536 280841448a492e94b1c01f7505d163de.exe 19 PID 2536 wrote to memory of 5052 2536 280841448a492e94b1c01f7505d163de.exe 19 PID 2536 wrote to memory of 5052 2536 280841448a492e94b1c01f7505d163de.exe 19
Processes
-
C:\Users\Admin\AppData\Local\Temp\280841448a492e94b1c01f7505d163de.exe"C:\Users\Admin\AppData\Local\Temp\280841448a492e94b1c01f7505d163de.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2536 -
F:\msdownld.tmp\IXP000.TMP\3_lh.exeF:\msdownld.tmp\IXP000.TMP\3_lh.exe2⤵
- Executes dropped EXE
PID:5052
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 6321⤵
- Program crash
PID:4728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5052 -ip 50521⤵PID:4900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5ece531ccab5908888811514fb22a49da
SHA19395b8620b18831cca2106554fd5bb3ea85f2c98
SHA25602f9a80a000e2caf6f1b3a7e53a020497cfbc9ee4fb4d7a2c590e12617d21051
SHA512c76cdcc150c7e00d94681fc0196819b9ff0389dd123dd13d199ed3ca59463f767cb31a29b70064c347d2e2209738dd87834a94209ef5f851abae40750dac02e5