Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
292s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20240214-en -
resource tags
arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system -
submitted
20/02/2024, 04:48
Static task
static1
Behavioral task
behavioral1
Sample
35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe
Resource
win10-20240214-en
General
-
Target
35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe
-
Size
1.9MB
-
MD5
91daf47ec23bdc6e075f0b4d81f9d6c7
-
SHA1
3c4ffceccf97568efeff3939f51a12bbee63f6af
-
SHA256
35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7
-
SHA512
c1ca51f839569bff829e3fd1e21d900833126cd320a7a36c74c149e5dc4a35ba61254dc6860ec51debb2b0ac91817639757d08bd34f8d7366ec1c9ba4f5eec96
-
SSDEEP
49152:2NVoFnW4i20zpdFRmgXBlLkHSCZ3aQx3PSGFivxfQhIrdY4I:/nW4iZ9dFwgXfLkHtZn3tF4xYh99
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2740-1-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-3-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-5-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-6-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-7-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-8-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-37-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-39-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-43-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-44-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-47-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-46-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-48-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-50-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-57-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-64-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-56-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-62-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-55-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-60-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-59-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-58-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-53-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-51-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-49-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-52-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-61-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-67-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-66-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-65-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-82-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-83-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-94-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-92-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-90-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-86-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-85-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-95-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-91-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-79-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-88-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-77-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-76-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-73-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-81-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-70-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-80-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-78-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-68-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-99-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-96-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-75-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-1296-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2740-2132-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" 35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 157 89ea5e0a101f.ngrok.io 195 89ea5e0a101f.ngrok.io 275 89ea5e0a101f.ngrok.io 1070 89ea5e0a101f.ngrok.io -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2924 set thread context of 2740 2924 35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe 74 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 9656 2740 WerFault.exe 74 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2740 35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe 2740 35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe 2740 35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe 2740 35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe 2740 35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe 2740 35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2740 2924 35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe 74 PID 2924 wrote to memory of 2740 2924 35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe 74 PID 2924 wrote to memory of 2740 2924 35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe 74 PID 2924 wrote to memory of 2740 2924 35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe 74 PID 2924 wrote to memory of 2740 2924 35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe 74 PID 2924 wrote to memory of 2740 2924 35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe 74 PID 2924 wrote to memory of 2740 2924 35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe 74 PID 2924 wrote to memory of 2740 2924 35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe"C:\Users\Admin\AppData\Local\Temp\35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe"C:\Users\Admin\AppData\Local\Temp\35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2740 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 374883⤵
- Program crash
PID:9656
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5ccfc66c482231adf2bcc81ec8a31355a
SHA1da0d17e889d210024eea48a09f0c75df9c35c4f2
SHA256d1a694832cfda9ac92a494f0c87cbff68cadf29954b1942238579fc846316d19
SHA512d8618ae6236d64d87e9beff26e47408180a729ad5e166f3a8baefba78358cf9dfd164911d87dfbaf8987f82da9046df5e0b4dcd9dbfbeb654cedee6ac03de4fc
-
Filesize
927KB
MD57b746a6fbb870a558bfbc9cbb4bc0174
SHA159ea23ca777bcabebb3e116d097311be71f870fb
SHA25646df9cec0fb0c4df8b168ed61d2c8b7e3883e72882218faf95c6a573934540f3
SHA512edfeab6e4b4244278262f1cef73c1f5de8d93f92f5589fae9e3f0323e2e8fd697fea734d5b70f808a8d14725a0f34d344becd4bd1bb8ac05a7476609a3f9b3bb