Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
75s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2024, 15:13
Static task
static1
Behavioral task
behavioral1
Sample
50e75dc2d5ace8a5669e347ed32c10dd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
50e75dc2d5ace8a5669e347ed32c10dd.exe
Resource
win10v2004-20231222-en
General
-
Target
50e75dc2d5ace8a5669e347ed32c10dd.exe
-
Size
384KB
-
MD5
50e75dc2d5ace8a5669e347ed32c10dd
-
SHA1
5e357ca218cf49f8b18c622ed77c59798ca23322
-
SHA256
70b9b35e34c3a4ec1e946378c40e1d876920d638ec919ef2778e6047c1d5ad90
-
SHA512
d0dc948471e976bfaf75be161a8283ee2fd49e2a48a90e87162e3477511631d27e27fd2740d0a5ee6ebb15995c0154e7b1216e3e57d38413f1d07b685bfe9754
-
SSDEEP
6144:G59TOwr3GP/cSHBWOySe1jCrCzvfAL0OT+dgW/CkVgAtAt:G50QWvHBWOyHCrYfAL0OS6+uA+
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1852 eO10400NlBiN10400.exe -
Executes dropped EXE 1 IoCs
pid Process 1852 eO10400NlBiN10400.exe -
resource yara_rule behavioral2/memory/636-6-0x0000000000400000-0x00000000004EE000-memory.dmp upx behavioral2/memory/636-13-0x0000000000400000-0x00000000004EE000-memory.dmp upx behavioral2/memory/1852-19-0x0000000000400000-0x00000000004EE000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\eO10400NlBiN10400 = "C:\\ProgramData\\eO10400NlBiN10400\\eO10400NlBiN10400.exe" eO10400NlBiN10400.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3248 636 WerFault.exe 18 3232 1852 WerFault.exe 62 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 636 50e75dc2d5ace8a5669e347ed32c10dd.exe 636 50e75dc2d5ace8a5669e347ed32c10dd.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 636 50e75dc2d5ace8a5669e347ed32c10dd.exe Token: SeDebugPrivilege 1852 eO10400NlBiN10400.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1852 eO10400NlBiN10400.exe 1852 eO10400NlBiN10400.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 636 wrote to memory of 1852 636 50e75dc2d5ace8a5669e347ed32c10dd.exe 62 PID 636 wrote to memory of 1852 636 50e75dc2d5ace8a5669e347ed32c10dd.exe 62 PID 636 wrote to memory of 1852 636 50e75dc2d5ace8a5669e347ed32c10dd.exe 62
Processes
-
C:\Users\Admin\AppData\Local\Temp\50e75dc2d5ace8a5669e347ed32c10dd.exe"C:\Users\Admin\AppData\Local\Temp\50e75dc2d5ace8a5669e347ed32c10dd.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 6762⤵
- Program crash
PID:3248
-
-
C:\ProgramData\eO10400NlBiN10400\eO10400NlBiN10400.exe"C:\ProgramData\eO10400NlBiN10400\eO10400NlBiN10400.exe" "C:\Users\Admin\AppData\Local\Temp\50e75dc2d5ace8a5669e347ed32c10dd.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 6683⤵
- Program crash
PID:3232
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 636 -ip 6361⤵PID:3980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1852 -ip 18521⤵PID:4968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD56d37b0ac3aad15696175c35da0c421c5
SHA105ed8d20a36ac9965e79c17fce9f82973a5f1f84
SHA256401c49c862946dcae20e2f7370641daa4b93723971018fcde1a2383aa3734234
SHA512c29b8ad04dabc4dc7fe9a54176fe89fca336a6b30e626e286f6635dbcc6906b1f11f04823c617c089c6361e932b46f1b2442dc567bacf81b0bd44e851d4c8e1d
-
Filesize
40KB
MD5d8bf1966ab1f54f37a49d4031d1770fb
SHA1b4e0ac7ef8408640350a5f850d016c0ea4d7ae71
SHA2566ee877b9d4ec98149e4ab4853b987b382c3934bdaadda9d06ea8cd5e52c4e802
SHA512e74d4fd281186c3f2ca1995b244dca78f2950a2546c4928c995755c2d69c33ec127d48f75df75bf3479d0c9663f85b5d3d5063911c7385aab2fc9331412a5071