Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/02/2024, 15:31
Static task
static1
Behavioral task
behavioral1
Sample
89e10dab0f6e6787265ae69efe2eea33.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
89e10dab0f6e6787265ae69efe2eea33.exe
Resource
win10v2004-20231215-en
General
-
Target
89e10dab0f6e6787265ae69efe2eea33.exe
-
Size
860KB
-
MD5
89e10dab0f6e6787265ae69efe2eea33
-
SHA1
b83bd1340099a6b66b5b2b2551b836982b4615a7
-
SHA256
13c92f9848f3f43f42a7e9882144b8229d17dee27fb52b05bba9f8c8e417a529
-
SHA512
3dbbaebba88d6e4f91de1958c10b1d04e48f5b5576ad90f5fe9c971d223b6e77fcec367530b7ca3b41aa23fe3245c385f9c6ca9392d9632d7a4a40c13af32bf7
-
SSDEEP
12288:1ynJ/2UZ6w9gaTHcJjdWP7av5YVP6JPrDbJm8drYE1ovmt7KPrUyN:1msUZ5gaorWPGauzDbJmARoNUi
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2768 ±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe 2836 dat.exe 2872 vx_6.exe -
Loads dropped DLL 12 IoCs
pid Process 2980 89e10dab0f6e6787265ae69efe2eea33.exe 2980 89e10dab0f6e6787265ae69efe2eea33.exe 2980 89e10dab0f6e6787265ae69efe2eea33.exe 2980 89e10dab0f6e6787265ae69efe2eea33.exe 2768 ±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe 2768 ±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe 2768 ±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe 2872 vx_6.exe 2760 WerFault.exe 2760 WerFault.exe 2760 WerFault.exe 2760 WerFault.exe -
resource yara_rule behavioral1/files/0x0008000000015ca3-27.dat upx behavioral1/memory/2872-38-0x0000000000400000-0x000000000055A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2760 2872 WerFault.exe 30 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2768 2980 89e10dab0f6e6787265ae69efe2eea33.exe 28 PID 2980 wrote to memory of 2768 2980 89e10dab0f6e6787265ae69efe2eea33.exe 28 PID 2980 wrote to memory of 2768 2980 89e10dab0f6e6787265ae69efe2eea33.exe 28 PID 2980 wrote to memory of 2768 2980 89e10dab0f6e6787265ae69efe2eea33.exe 28 PID 2980 wrote to memory of 2768 2980 89e10dab0f6e6787265ae69efe2eea33.exe 28 PID 2980 wrote to memory of 2768 2980 89e10dab0f6e6787265ae69efe2eea33.exe 28 PID 2980 wrote to memory of 2768 2980 89e10dab0f6e6787265ae69efe2eea33.exe 28 PID 2980 wrote to memory of 2836 2980 89e10dab0f6e6787265ae69efe2eea33.exe 29 PID 2980 wrote to memory of 2836 2980 89e10dab0f6e6787265ae69efe2eea33.exe 29 PID 2980 wrote to memory of 2836 2980 89e10dab0f6e6787265ae69efe2eea33.exe 29 PID 2980 wrote to memory of 2836 2980 89e10dab0f6e6787265ae69efe2eea33.exe 29 PID 2768 wrote to memory of 2872 2768 ±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe 30 PID 2768 wrote to memory of 2872 2768 ±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe 30 PID 2768 wrote to memory of 2872 2768 ±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe 30 PID 2768 wrote to memory of 2872 2768 ±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe 30 PID 2768 wrote to memory of 2872 2768 ±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe 30 PID 2768 wrote to memory of 2872 2768 ±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe 30 PID 2768 wrote to memory of 2872 2768 ±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe 30 PID 2872 wrote to memory of 2760 2872 vx_6.exe 31 PID 2872 wrote to memory of 2760 2872 vx_6.exe 31 PID 2872 wrote to memory of 2760 2872 vx_6.exe 31 PID 2872 wrote to memory of 2760 2872 vx_6.exe 31 PID 2872 wrote to memory of 2760 2872 vx_6.exe 31 PID 2872 wrote to memory of 2760 2872 vx_6.exe 31 PID 2872 wrote to memory of 2760 2872 vx_6.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\89e10dab0f6e6787265ae69efe2eea33.exe"C:\Users\Admin\AppData\Local\Temp\89e10dab0f6e6787265ae69efe2eea33.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe"C:\Users\Admin\AppData\Local\Temp\±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vx_6.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vx_6.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 2724⤵
- Loads dropped DLL
- Program crash
PID:2760
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dat.exe"C:\Users\Admin\AppData\Local\Temp\dat.exe"2⤵
- Executes dropped EXE
PID:2836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD57e178a5140bef6ab279fc248fcecf2e1
SHA1ef1379d1d6a8bb10bfdba97e52468982ab820d9f
SHA25652edf0107d04ce02afad02b5b79278f47acca980ce4212a1380090688c438091
SHA5125be068e01483ddab80a29aa2c7c8f7e59c19a1cd6947ef25da9af39a18f93417c0ff035b800b84c049993c26be6153e6db3a7a324a76ed1811d7b6c5e63a861c
-
Filesize
129KB
MD5818c105a1f47d3684c567b795ab28ce1
SHA1682deb84809209982daa1ae46d6e461bab6fe6ed
SHA2568a994deda87e60751ade51c99ad4d34dd2abf774cd9b169cfbddb8b5c8681333
SHA5125a17e32e9ec6f2531ce260a14994fa4f909c9133a445f312d7308dc9f351725abbeb45b27d47c3c1b56b97b89db2fd8ba309fdc194c54d83b852a02092b60e63
-
Filesize
601KB
MD5e32032ba8cf97310410cc283df875e18
SHA1a879010e5d795886dfd6e2252a66ec4ecf12321e
SHA256ef00fb802e86aee48f68fce5e910ba10ebd05648ee9a639ed38ce16ebe3ac923
SHA512c175b6bce65ad3a0dd36a2ec66c998fd844adaa5beb195c5ed9a04f63329ab011c62534164e6a9b7fff9f2c61a656a84db04db02ece56e8ac28d54b186fdc22c