Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/01/2024, 23:22

General

  • Target

    51e75865fcf5957c4c0c317c3228c7f0.exe

  • Size

    156KB

  • MD5

    51e75865fcf5957c4c0c317c3228c7f0

  • SHA1

    e1eb324f42021a8f9952bca97c0d5937a8b8c0f7

  • SHA256

    41d204d81c681ada925d70f7bd6b48d31aad34be9406eceafcaa342cd80fd7ad

  • SHA512

    26707c4470e515adf8c35ea105dd3f7b8e3e9e4ec29fef84a6b5965e65c9b235b10627f31f3e9677632450d3b28d20ebb129c8bff0b5757ef40046fedef3b09e

  • SSDEEP

    3072:sqbEmRuVotc4zmpwRIZB3JPEL/oc7mBGAyjIuoJ98:sqbI4zcGInZVc7Hh

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51e75865fcf5957c4c0c317c3228c7f0.exe
    "C:\Users\Admin\AppData\Local\Temp\51e75865fcf5957c4c0c317c3228c7f0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Users\Admin\AppData\Local\Temp\51e75865fcf5957c4c0c317c3228c7f0.exe
      C:\Users\Admin\AppData\Local\Temp\51e75865fcf5957c4c0c317c3228c7f0.exe
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Users\Admin\AppData\Roaming\netprotocol.exe
        C:\Users\Admin\AppData\Roaming\netprotocol.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:6096
        • C:\Users\Admin\AppData\Roaming\netprotocol.exe
          C:\Users\Admin\AppData\Roaming\netprotocol.exe
          4⤵
          • Executes dropped EXE
          PID:1272
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 452
          4⤵
          • Program crash
          PID:6040
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 452
          4⤵
          • Program crash
          PID:2172
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 440
      2⤵
      • Program crash
      PID:4056
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 440
      2⤵
      • Program crash
      PID:2488
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 880 -ip 880
    1⤵
      PID:2160
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 880 -ip 880
      1⤵
        PID:3160
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6096 -ip 6096
        1⤵
          PID:3092
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6096 -ip 6096
          1⤵
            PID:5956

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\netprotocol.exe

            Filesize

            156KB

            MD5

            c178c7461dffc068666fa84b1b6099db

            SHA1

            bc6d5efad7a080b05075ac78d4e43d570a2bc8f9

            SHA256

            c327079b1807bd40a8d8531205f9f4e7dbfc4e30d789dd6bf0a8dac0858bdfb3

            SHA512

            572cfabdf3414d33bc8297ddfc2aa911639991258eaed02bc9cf1912bb078681d5887b6bd67cb70a4645373510d91eb25def66bdb7c13e40f29671a2d380f1a5

          • C:\Users\Admin\AppData\Roaming\netprotocol.exe

            Filesize

            57KB

            MD5

            348ce5af0a70d17f4b5c4330fa2319ad

            SHA1

            3b482db110d1c4bc30248068d56948a00998a43c

            SHA256

            c4ea55161f409d4133ca4410956cd7b28acb41ec96f6e4eb7ef7914cbd17bdcf

            SHA512

            649b159127c78a4ed74e30898c1593aea556cf515449788e5b22558a2803daef4d6a5b2dd6b177b896659f6b3add7ad2e140c197a3ab21e4d1e28150219b799a

          • memory/1272-10-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

          • memory/1272-11-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

          • memory/1272-13-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

          • memory/1416-0-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

          • memory/1416-1-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

          • memory/1416-2-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

          • memory/1416-7-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

          • memory/1416-12-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB