Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 14:06
Static task
static1
Behavioral task
behavioral1
Sample
b2513ad2f69e95139b51cd2da8c09064.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b2513ad2f69e95139b51cd2da8c09064.exe
Resource
win10v2004-20240226-en
General
-
Target
b2513ad2f69e95139b51cd2da8c09064.exe
-
Size
1.0MB
-
MD5
b2513ad2f69e95139b51cd2da8c09064
-
SHA1
9be7c6c865f270fc3ddae090a7e3d3eccecd2026
-
SHA256
8f72d46efcdeb6a82eade69cde0492916191d3802a38872c57be9d59009101a7
-
SHA512
890684a6d127db8535ab8f2b342fae7f715b5d0ebf0a54447dbe2dc6f58fc9fa77e251ee6c2e686833d3f4b113ca570aabdfb3ac3a397cae9916289b0efec93e
-
SSDEEP
24576:NamTlvvYXDZdzIKY0zD87wK0YICHPhBPchUwOoUaw:N5lH0VNIT7yIHpBsDs1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1292 usnscv.exe -
Loads dropped DLL 7 IoCs
pid Process 1152 b2513ad2f69e95139b51cd2da8c09064.exe 1152 b2513ad2f69e95139b51cd2da8c09064.exe 1292 usnscv.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon = "\"C:\\Users\\Admin\\AppData\\Local\\usnscv.exe\"" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2588 1292 WerFault.exe 28 -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2600 reg.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1292 usnscv.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1292 usnscv.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1152 wrote to memory of 1292 1152 b2513ad2f69e95139b51cd2da8c09064.exe 28 PID 1152 wrote to memory of 1292 1152 b2513ad2f69e95139b51cd2da8c09064.exe 28 PID 1152 wrote to memory of 1292 1152 b2513ad2f69e95139b51cd2da8c09064.exe 28 PID 1152 wrote to memory of 1292 1152 b2513ad2f69e95139b51cd2da8c09064.exe 28 PID 1292 wrote to memory of 2868 1292 usnscv.exe 29 PID 1292 wrote to memory of 2868 1292 usnscv.exe 29 PID 1292 wrote to memory of 2868 1292 usnscv.exe 29 PID 1292 wrote to memory of 2868 1292 usnscv.exe 29 PID 1292 wrote to memory of 2868 1292 usnscv.exe 29 PID 1292 wrote to memory of 2868 1292 usnscv.exe 29 PID 1292 wrote to memory of 2868 1292 usnscv.exe 29 PID 2868 wrote to memory of 2552 2868 cmd.exe 31 PID 2868 wrote to memory of 2552 2868 cmd.exe 31 PID 2868 wrote to memory of 2552 2868 cmd.exe 31 PID 2868 wrote to memory of 2552 2868 cmd.exe 31 PID 2552 wrote to memory of 2600 2552 cmd.exe 32 PID 2552 wrote to memory of 2600 2552 cmd.exe 32 PID 2552 wrote to memory of 2600 2552 cmd.exe 32 PID 2552 wrote to memory of 2600 2552 cmd.exe 32 PID 1292 wrote to memory of 2588 1292 usnscv.exe 33 PID 1292 wrote to memory of 2588 1292 usnscv.exe 33 PID 1292 wrote to memory of 2588 1292 usnscv.exe 33 PID 1292 wrote to memory of 2588 1292 usnscv.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2513ad2f69e95139b51cd2da8c09064.exe"C:\Users\Admin\AppData\Local\Temp\b2513ad2f69e95139b51cd2da8c09064.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\usnscv.exe"C:\Users\Admin\AppData\Local\usnscv.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\winupdate.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ctfmon /D "\"C:\Users\Admin\AppData\Local\usnscv.exe\"" /f4⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ctfmon /D "\"C:\Users\Admin\AppData\Local\usnscv.exe\"" /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:2600
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 6003⤵
- Loads dropped DLL
- Program crash
PID:2588
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD56f893fa27049e87617787e4964ad5ecb
SHA12efa3418e797e4d5ced66044eff405cb2f93060c
SHA256a9912cc06ab8465ecbf27c5b6887ba94421e213d1fff1467ee1d8f20a72f0b60
SHA51208188fd11947612212701c3fffc253bb69530091115cf6c59650ed70851a8b56b5508cf458df9e742956144be1b3738560a33871a4be782798a63f04b7dae57f
-
Filesize
71KB
MD5ba190ef2c7ede61ef4459947f92689a7
SHA10972e154a52f86a8126b1f79575b888ab63e5b13
SHA256d06c7c0f8810a75e92b2654a2f2b54d35b1a1cf8c92ea0ef1320630f1b736424
SHA512e68efb700614476abfcd0e503f1a142ee8b8ba761bb1467f7c58e21fb38a1e00d4bb0005eb85f93d0845b9d3f2344e0d32c1c5cebfa79610649213162f646626
-
Filesize
559KB
MD5027905218f9a0db3f92e33de4eb30b31
SHA1da5e3fb607c31cf125ec9dd61b5504c845d5ca7a
SHA25694b41ed321c207eeea31a86f606fcd26b26bb26a88bd81b761cdf27b0b90deea
SHA51246f55d671a4d468b6ee61a5c4bf8465ca941342f95fed0f60636a535d259e83ee2d98a4fb673f9b95cf6ddb8bd61bbe9b72cf55c6f6e18201a39181b82b2743d