Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

a14985182f...66.exe

windows7-x64

8

a14985182f...66.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2024, 07:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a14985182fcd6d0aff13c375c15d5566.exe

  • Size

    268KB

  • MD5

    a14985182fcd6d0aff13c375c15d5566

  • SHA1

    b11f615163e71e623273cc456559c15009cce6cc

  • SHA256

    a9a0b49c1d3b073a04f6f7cb74c688c9ef5de9ef1dbfbd8e0f2da8b90031be45

  • SHA512

    70425cca4b7525f0ed930cee582f641b560bf0c6d8cb2bc8340f9be5f2b3834669a62409ba4dba34ca6fa1819845aa2da2c2115ab62975580d795018c8f4919a

  • SSDEEP

    3072:Bskvo5NHSuErdFqOgzletQj7ExJcSlrtpihGKAOdDI/eVpcLet0v9X3yiZgftJih:oyucGZeQ4kSl5piN5Jp6dreQWdb

Score
8/10
persistence

Malware Config

Signatures

  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a14985182fcd6d0aff13c375c15d5566.exe
    "C:\Users\Admin\AppData\Local\Temp\a14985182fcd6d0aff13c375c15d5566.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240610093.bat" "C:\Users\Admin\AppData\Local\Temp\a14985182fcd6d0aff13c375c15d5566.exe""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Windows\SysWOW64\attrib.exe
        attrib -s -r -h"C:\Users\Admin\AppData\Local\Temp\a14985182fcd6d0aff13c375c15d5566.exe"
        3⤵
        • Views/modifies file attributes
        PID:4320
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 376
        3⤵
        • Program crash
        PID:392
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 1264
      2⤵
      • Program crash
      PID:2192
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4860 -ip 4860
    1⤵
      PID:2168
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1256 -ip 1256
      1⤵
        PID:2120

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\240610093.bat
        Filesize

        97B

        MD5

        d226a657b279c5fc0a892748230a56ff

        SHA1

        fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5

        SHA256

        9dae2767b8e3499d37418a75ddd04d457c7ec8d6c8f312ee109c95a8a97e7761

        SHA512

        07d55ccf3b511c3be64f6dcd05cea3feaafb286196e5d7ba30016ab6d9c0d656fb7cde8eb1ce0ef28a41f1f3f00f0e29020c92479619fd43e4ed47b829f8bf2a

        Download Submit

      • C:\Windows\SysWOW64\hdwwEdit.dll
        Filesize

        86KB

        MD5

        8c4e2f845b96e1de93f8907bdff9e4a1

        SHA1

        ddd6ceb172427fb5a203b859b83fc25180fc98bf

        SHA256

        55d9b4ebd3bfbf135151ca5f15c85eff7cbb489552aa97ce14a57617a25e09d2

        SHA512

        897ddeaec45e4d88fe770e6966702e269529bb3448b2aadbd98c58cab0437bc96bb7250dfef34df3e23a5d951e8e7b5206b38e9ef5e20a6b71f438cbab9e1ba4

        Download Submit

      • memory/4860-0-0x0000000001000000-0x0000000001043000-memory.dmp

        Filesize

        268KB

        Download

      • memory/4860-9-0x0000000001000000-0x0000000001043000-memory.dmp

        Filesize

        268KB

        Download