Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
09/01/2024, 11:32
Static task
static1
Behavioral task
behavioral1
Sample
4e304a34ea425d0e9e247779025675e1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4e304a34ea425d0e9e247779025675e1.exe
Resource
win10v2004-20231215-en
General
-
Target
4e304a34ea425d0e9e247779025675e1.exe
-
Size
132KB
-
MD5
4e304a34ea425d0e9e247779025675e1
-
SHA1
bad2e8e6189fc8363a89ec3a1a1fd1112c1de9a4
-
SHA256
a212b00fc2ef30cbe2a896d2312739a6757f01730675bfbdf44470736160a024
-
SHA512
1673f90c9e7f29636cc2f41fd9b2dae1b3ba969a4e9607669eb19c6208f7735e56ae112a2cdfe60252f7b42afdc2d60d184ffa16b2aaa3b026858356b89c2411
-
SSDEEP
3072:4NlVOkquTD5GtVOlibl6sLVIgSsr8WZTru5PBh1Eimb:4NvtTeKibl6qVZZnu55h1Lmb
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2704 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2820 wfurhq.exe -
Loads dropped DLL 2 IoCs
pid Process 2704 cmd.exe 2704 cmd.exe -
resource yara_rule behavioral1/files/0x000a000000012274-12.dat upx behavioral1/memory/2704-13-0x0000000000370000-0x0000000000391000-memory.dmp upx behavioral1/memory/2820-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2820-18-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\ziwwa\\command wfurhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node wfurhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\ziwwa wfurhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\ziwwa wfurhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell wfurhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID wfurhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} wfurhq.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2300 PING.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2988 wrote to memory of 2704 2988 4e304a34ea425d0e9e247779025675e1.exe 28 PID 2988 wrote to memory of 2704 2988 4e304a34ea425d0e9e247779025675e1.exe 28 PID 2988 wrote to memory of 2704 2988 4e304a34ea425d0e9e247779025675e1.exe 28 PID 2988 wrote to memory of 2704 2988 4e304a34ea425d0e9e247779025675e1.exe 28 PID 2704 wrote to memory of 2820 2704 cmd.exe 30 PID 2704 wrote to memory of 2820 2704 cmd.exe 30 PID 2704 wrote to memory of 2820 2704 cmd.exe 30 PID 2704 wrote to memory of 2820 2704 cmd.exe 30 PID 2704 wrote to memory of 2300 2704 cmd.exe 31 PID 2704 wrote to memory of 2300 2704 cmd.exe 31 PID 2704 wrote to memory of 2300 2704 cmd.exe 31 PID 2704 wrote to memory of 2300 2704 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e304a34ea425d0e9e247779025675e1.exe"C:\Users\Admin\AppData\Local\Temp\4e304a34ea425d0e9e247779025675e1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\tavllxl.bat2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\wfurhq.exe"C:\Users\Admin\AppData\Local\Temp\wfurhq.exe"3⤵
- Executes dropped EXE
- Modifies registry class
PID:2820
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2300
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156B
MD58073cf9bec5963a7340f17426b130e2e
SHA1e021000f950563ca883233b06a2e2da953a6616b
SHA256d973772a47b39b02c21d2078539ffa3c2e89eaf231273215c9be927d511238df
SHA5123a2743252eae62848ccbb29b0b38ab810f5d36ab20d83c2705ff0fa17a3a724af749a9f49b940a2e67c5195a381c580b6c692127c0be8d5378e0508142e87d19
-
Filesize
124B
MD52c21916c128701d14af8a5d78766fcfe
SHA10af85699a8961e30ce18af490d672073b43570d1
SHA2563cee04167f5c3bbfbc5380436a96974ba52f1f26bb6264aa963199de989e661c
SHA512e1bee2df9a74521bab88dea9bf27b047558cd06cc80ac1ebf504ff05723c79ad28abdceb148f10210a673d3958ad7a8c0e837b207bccd5c5f8f5f89a38bfca40
-
Filesize
82KB
MD5d9baf78cdb4ef2906434f8010d6247ac
SHA116d0e1d1ab3d404b3f01188e194c5ea2833138e0
SHA256c2f6e0bed2534734220de8d46d2d935779dd5d0cfdaf3964a29dfb89a3de0a10
SHA51262dbb1fb43ec693ac0b7e4ed816b5b3af0609a3c0ca098870a40523d4294add7cb2a6d365676ac62d447da6027703b2fcc245b6fcd4d44f58ebda5e1e158593c