Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/02/2024, 02:51
Static task
static1
Behavioral task
behavioral1
Sample
984a29ed843495d8d4b5c9f0ce76f503.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
984a29ed843495d8d4b5c9f0ce76f503.exe
Resource
win10v2004-20231215-en
General
-
Target
984a29ed843495d8d4b5c9f0ce76f503.exe
-
Size
72KB
-
MD5
984a29ed843495d8d4b5c9f0ce76f503
-
SHA1
875f1be2999b177691c539eb808309b0f9406c00
-
SHA256
98cb5a1da4154973cb38c6d9115f2a77d5469d26bc573cabfc34e6209af0ced2
-
SHA512
4fc65792db66a373ffe991c6084ac9ea07e44dab93ac3e14dcc42f5a001e71c8b1373899b642fa08e837321a672d7076c1b49cd124b6c82bf771299d35e3120c
-
SSDEEP
1536:s4qwTsEnBkD85T5nGTfHkB30yPLyFcfYWx0cN2HOydYrn:zT3BlKfHk1N2uydO
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 452 CnsMln.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\CnsMln = "CnsM" 984a29ed843495d8d4b5c9f0ce76f503.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\CnsMln = "CnsM" CnsMln.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\CnsMln.exe 984a29ed843495d8d4b5c9f0ce76f503.exe File opened for modification C:\Windows\CnsMln.exe 984a29ed843495d8d4b5c9f0ce76f503.exe File created C:\Windows\CnsMln.exe CnsMln.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4704 452 WerFault.exe 85 -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 452 CnsMln.exe 452 CnsMln.exe 452 CnsMln.exe 452 CnsMln.exe 452 CnsMln.exe 452 CnsMln.exe 452 CnsMln.exe 452 CnsMln.exe 452 CnsMln.exe 452 CnsMln.exe 452 CnsMln.exe 452 CnsMln.exe 452 CnsMln.exe 452 CnsMln.exe 452 CnsMln.exe 452 CnsMln.exe 452 CnsMln.exe 452 CnsMln.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3156 wrote to memory of 452 3156 984a29ed843495d8d4b5c9f0ce76f503.exe 85 PID 3156 wrote to memory of 452 3156 984a29ed843495d8d4b5c9f0ce76f503.exe 85 PID 3156 wrote to memory of 452 3156 984a29ed843495d8d4b5c9f0ce76f503.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\984a29ed843495d8d4b5c9f0ce76f503.exe"C:\Users\Admin\AppData\Local\Temp\984a29ed843495d8d4b5c9f0ce76f503.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\CnsMln.exeC:\Windows\CnsMln.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:452 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 6843⤵
- Program crash
PID:4704
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 452 -ip 4521⤵PID:3748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5984a29ed843495d8d4b5c9f0ce76f503
SHA1875f1be2999b177691c539eb808309b0f9406c00
SHA25698cb5a1da4154973cb38c6d9115f2a77d5469d26bc573cabfc34e6209af0ced2
SHA5124fc65792db66a373ffe991c6084ac9ea07e44dab93ac3e14dcc42f5a001e71c8b1373899b642fa08e837321a672d7076c1b49cd124b6c82bf771299d35e3120c