Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
504s -
max time network
379s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
24/01/2024, 03:07
Static task
static1
Behavioral task
behavioral1
Sample
Trainer_JoU4uh4CUd.exe
Resource
win10-20231215-en
General
-
Target
Trainer_JoU4uh4CUd.exe
-
Size
7.9MB
-
MD5
624b884e8a23afe3a79a0e432e1335b7
-
SHA1
1b21d61b6c431720d568a07398e9a376106a2171
-
SHA256
6e30c75a6182b710c3e656b112fb7941c9856612310fc5a90f7505a0768a426b
-
SHA512
caef4002424f87a36e603582bc73e50ceeedf43bc615ec9ff6515059fec1ee342a179814869c9304c43e512c48f549b3b3325c453abac7beba5a01ff672d4cfb
-
SSDEEP
98304:/QVzXhUDWBZ5sxAdqiCkI3QLvX7NwXbZmZFBCPue1CJ/W4NuKaKKwlMCjO1bcOFE:kQWDGxRWPN9CGeQJt3KwjjO1/tNud
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2740 Trainer_JoU4uh4CUd.tmp 408 jseditboxcontrol.exe -
Loads dropped DLL 3 IoCs
pid Process 2740 Trainer_JoU4uh4CUd.tmp 2740 Trainer_JoU4uh4CUd.tmp 2740 Trainer_JoU4uh4CUd.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 12 IoCs
pid pid_target Process procid_target 4540 408 WerFault.exe 76 3996 408 WerFault.exe 76 4576 408 WerFault.exe 76 4776 408 WerFault.exe 76 3468 408 WerFault.exe 76 4488 408 WerFault.exe 76 4464 408 WerFault.exe 76 5004 408 WerFault.exe 76 4644 408 WerFault.exe 76 4328 408 WerFault.exe 76 96 408 WerFault.exe 76 3884 408 WerFault.exe 76 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2740 Trainer_JoU4uh4CUd.tmp 2740 Trainer_JoU4uh4CUd.tmp 408 jseditboxcontrol.exe 408 jseditboxcontrol.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2740 Trainer_JoU4uh4CUd.tmp -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4600 wrote to memory of 2740 4600 Trainer_JoU4uh4CUd.exe 72 PID 4600 wrote to memory of 2740 4600 Trainer_JoU4uh4CUd.exe 72 PID 4600 wrote to memory of 2740 4600 Trainer_JoU4uh4CUd.exe 72 PID 2740 wrote to memory of 932 2740 Trainer_JoU4uh4CUd.tmp 73 PID 2740 wrote to memory of 932 2740 Trainer_JoU4uh4CUd.tmp 73 PID 2740 wrote to memory of 932 2740 Trainer_JoU4uh4CUd.tmp 73 PID 2740 wrote to memory of 4024 2740 Trainer_JoU4uh4CUd.tmp 74 PID 2740 wrote to memory of 4024 2740 Trainer_JoU4uh4CUd.tmp 74 PID 2740 wrote to memory of 4024 2740 Trainer_JoU4uh4CUd.tmp 74 PID 2740 wrote to memory of 408 2740 Trainer_JoU4uh4CUd.tmp 76 PID 2740 wrote to memory of 408 2740 Trainer_JoU4uh4CUd.tmp 76 PID 2740 wrote to memory of 408 2740 Trainer_JoU4uh4CUd.tmp 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trainer_JoU4uh4CUd.exe"C:\Users\Admin\AppData\Local\Temp\Trainer_JoU4uh4CUd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\is-9NIOP.tmp\Trainer_JoU4uh4CUd.tmp"C:\Users\Admin\AppData\Local\Temp\is-9NIOP.tmp\Trainer_JoU4uh4CUd.tmp" /SL5="$50234,8054080,54272,C:\Users\Admin\AppData\Local\Temp\Trainer_JoU4uh4CUd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query3⤵PID:932
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\atl.dll"3⤵PID:4024
-
-
C:\Users\Admin\AppData\Local\JS Edit Box Control\jseditboxcontrol.exe"C:\Users\Admin\AppData\Local\JS Edit Box Control\jseditboxcontrol.exe" e3d601d77ff0aa6bec2709c7669adcf03⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 8524⤵
- Program crash
PID:4540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 8284⤵
- Program crash
PID:3996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 8964⤵
- Program crash
PID:4576
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 10004⤵
- Program crash
PID:4776
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 10364⤵
- Program crash
PID:3468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 10804⤵
- Program crash
PID:4488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 11244⤵
- Program crash
PID:4464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 11084⤵
- Program crash
PID:5004
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 11484⤵
- Program crash
PID:4644
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 12124⤵
- Program crash
PID:4328
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 11604⤵
- Program crash
PID:96
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 11764⤵
- Program crash
PID:3884
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD598a2d4864b9e69974e9f0745d62d9e2a
SHA1948cd6bc6fda1ce3381a77c55a9925576a8a0a8e
SHA2560c7432fb6075af761a0e1c3ce123e4486cafd5bef0915bf78ce10649b4fb0e37
SHA512c15e5297cfaead1caa5fcad818e9c13d6e4a3b2287a29848dd606f30171facee8281a84cda2913d2592b935e923a1df0f4aec127b18f59010ae6c925f50a52d1
-
Filesize
687KB
MD5b7eae8fc15fa2065beed9a656ee73669
SHA1eaf258c23bca86a0a4c8e12db4581b7fa65795e7
SHA2563a03e165d1f7a6bce12a2647d8a7e49acd6f6be7e19c36bdfbd8a0a687445a92
SHA5120a96a994febc284d7d2869d148d7ac57620e928f8d2683d41d3d90302e7da3baabb3da40f54c36900ba59bc8c2733910610016f09acc6280189ea7558bcabfda
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4