Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 17:29
Static task
static1
Behavioral task
behavioral1
Sample
8cec5a41022f1ecf9adb09218b8421df.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8cec5a41022f1ecf9adb09218b8421df.exe
Resource
win10v2004-20231215-en
General
-
Target
8cec5a41022f1ecf9adb09218b8421df.exe
-
Size
128KB
-
MD5
8cec5a41022f1ecf9adb09218b8421df
-
SHA1
169ec91aaf53dedd7c0c20826ff98985e76750af
-
SHA256
8da3135350ff1c3636ba730cbe51f68a63e82093af86cbacbe008dd3a9b3e1a4
-
SHA512
d7061ac7c8a99d747b247e473db985c4d6ad3e84387d1bd1d03d12d5515a4ffe7784a0d07140732ec0e5aab9186ea3a1d7a15e166f0d2db1ef75b273f0d71033
-
SSDEEP
1536:gtbk9vLGbDNuy9C3Vmto53WKfD+wCC45AI/YvVyaGh3no8ndUEbVVzREFJ:EbS3Vmto3WKR45BwV/G5nokLbDzEJ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3964 bdyny79m.exe 2028 bdyny79m.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ly31bld = "C:\\Users\\Admin\\AppData\\Roaming\\bdyny79m.exe" 8cec5a41022f1ecf9adb09218b8421df.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4112 set thread context of 860 4112 8cec5a41022f1ecf9adb09218b8421df.exe 85 PID 3964 set thread context of 2028 3964 bdyny79m.exe 88 -
Program crash 2 IoCs
pid pid_target Process procid_target 2588 3964 WerFault.exe 89 3484 4112 WerFault.exe 84 -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4112 wrote to memory of 860 4112 8cec5a41022f1ecf9adb09218b8421df.exe 85 PID 4112 wrote to memory of 860 4112 8cec5a41022f1ecf9adb09218b8421df.exe 85 PID 4112 wrote to memory of 860 4112 8cec5a41022f1ecf9adb09218b8421df.exe 85 PID 4112 wrote to memory of 860 4112 8cec5a41022f1ecf9adb09218b8421df.exe 85 PID 4112 wrote to memory of 860 4112 8cec5a41022f1ecf9adb09218b8421df.exe 85 PID 860 wrote to memory of 3964 860 8cec5a41022f1ecf9adb09218b8421df.exe 89 PID 860 wrote to memory of 3964 860 8cec5a41022f1ecf9adb09218b8421df.exe 89 PID 860 wrote to memory of 3964 860 8cec5a41022f1ecf9adb09218b8421df.exe 89 PID 3964 wrote to memory of 2028 3964 bdyny79m.exe 88 PID 3964 wrote to memory of 2028 3964 bdyny79m.exe 88 PID 3964 wrote to memory of 2028 3964 bdyny79m.exe 88 PID 3964 wrote to memory of 2028 3964 bdyny79m.exe 88 PID 3964 wrote to memory of 2028 3964 bdyny79m.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cec5a41022f1ecf9adb09218b8421df.exe"C:\Users\Admin\AppData\Local\Temp\8cec5a41022f1ecf9adb09218b8421df.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\8cec5a41022f1ecf9adb09218b8421df.exeC:\Users\Admin\AppData\Local\Temp\8cec5a41022f1ecf9adb09218b8421df.exe2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Users\Admin\AppData\Roaming\bdyny79m.exeC:\Users\Admin\AppData\Roaming\bdyny79m.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 2524⤵
- Program crash
PID:2588
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 2362⤵
- Program crash
PID:3484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4112 -ip 41121⤵PID:2720
-
C:\Users\Admin\AppData\Roaming\bdyny79m.exeC:\Users\Admin\AppData\Roaming\bdyny79m.exe1⤵
- Executes dropped EXE
PID:2028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3964 -ip 39641⤵PID:3876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5a90e655931d1b51958728b8142b5374e
SHA18da49bff7eaa9e63c292fc2a861d7028d8fa874a
SHA2566c96887fd570c0cc9b2ca2e091a9442dc659a12a8bd23ec6a45b6e3aef459ac1
SHA51227a9b2a1c3a4d8b1f6f376cea6557d7e890c4147f6b13bd702322f3b8fff6b7ce8f8c4151c56e84f0991ebf454ce848cdba8b2dc2b9ff7db4e4058d4a3a5ffb3
-
Filesize
71KB
MD5bebbc03f0f0548a4a0c65540642b7b26
SHA175e463433f2bf81e3750ced7cc33ae51aa380c79
SHA256e10a99d6dfbcca1562d19774b202f98a889fa399d76c44a304908c8cde175b35
SHA51243188900c1dae932d97f4665ca1bb1c32f9e6461f9df73b4a5c2ba6ec630e26f81473b02509ee5b8ff718fd6cf2fa5f42d8a8440eaa1d28e123615765af5a696
-
Filesize
69KB
MD59c9d36b588bb1ed8add898363c67651e
SHA1d949e7e5b750f52c4bbbcf09d9e9ce686790623f
SHA2563fb794f4c82cc815b33c8ddca0ec6c069f7632fe6b3ff8cf43c28251c46b8826
SHA51206891e4c4fedd2d3a9e1b335978ea750ae66dec2a4b23e056709957e86afcb42d2e026b3d0bb60d38e3b154a8e5e7b9376a1c32933557c17a049e46891086a92