Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
04/01/2024, 20:29
Static task
static1
Behavioral task
behavioral1
Sample
41d6b06dbab79f45bc71832c7c691c16.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
41d6b06dbab79f45bc71832c7c691c16.exe
Resource
win10v2004-20231222-en
General
-
Target
41d6b06dbab79f45bc71832c7c691c16.exe
-
Size
10KB
-
MD5
41d6b06dbab79f45bc71832c7c691c16
-
SHA1
6afc1420c3b8594e1d51b413a19683ec227932bb
-
SHA256
cb8932abc8615354c90558b8bc7eb63ae3dd607ce41cb70172c6f87564cb6ca6
-
SHA512
bc51aa60cee34da4ec91fc8c918cbe24415ab27720a5b7888209e7ce0511d873fb9c0229e73388c2681c22ced69754c75b5406e0df835882761c5fc0e90997b9
-
SSDEEP
192:iEVm3Vy7U2Bm7s4/CdqacfXr+ML71lz4+Q7KB1UzP1oy/3u:bmFy7+PXn7fk+Q7KB1U1V
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2420 update.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3016 1252 WerFault.exe 87 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2420 set thread context of 1252 2420 update.exe 87 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2420 update.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4632 wrote to memory of 2420 4632 41d6b06dbab79f45bc71832c7c691c16.exe 90 PID 4632 wrote to memory of 2420 4632 41d6b06dbab79f45bc71832c7c691c16.exe 90 PID 4632 wrote to memory of 2420 4632 41d6b06dbab79f45bc71832c7c691c16.exe 90 PID 2420 wrote to memory of 1252 2420 update.exe 87 PID 2420 wrote to memory of 1252 2420 update.exe 87 PID 2420 wrote to memory of 1252 2420 update.exe 87 PID 2420 wrote to memory of 1252 2420 update.exe 87 PID 2420 wrote to memory of 1252 2420 update.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\41d6b06dbab79f45bc71832c7c691c16.exe"C:\Users\Admin\AppData\Local\Temp\41d6b06dbab79f45bc71832c7c691c16.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\ProgramData\update.exeC:\ProgramData\update.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"1⤵PID:1252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 122⤵
- Program crash
PID:3016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1252 -ip 12521⤵PID:1268
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD541d6b06dbab79f45bc71832c7c691c16
SHA16afc1420c3b8594e1d51b413a19683ec227932bb
SHA256cb8932abc8615354c90558b8bc7eb63ae3dd607ce41cb70172c6f87564cb6ca6
SHA512bc51aa60cee34da4ec91fc8c918cbe24415ab27720a5b7888209e7ce0511d873fb9c0229e73388c2681c22ced69754c75b5406e0df835882761c5fc0e90997b9