Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 18:33
Behavioral task
behavioral1
Sample
c40ff7d4fbae3ba144f8739f7a7c2035.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c40ff7d4fbae3ba144f8739f7a7c2035.exe
Resource
win10v2004-20240226-en
General
-
Target
c40ff7d4fbae3ba144f8739f7a7c2035.exe
-
Size
1003KB
-
MD5
c40ff7d4fbae3ba144f8739f7a7c2035
-
SHA1
34683380e66e19640d89dd5e48c98d0e582c4b45
-
SHA256
dcefe181389e4bbae16b0a5b0a9f705819c087f9afff15a797f4778af0e9757e
-
SHA512
6d94b7aa2e17ecfc0d5fefac229d508724481567e0f2fd1ca4edeaa1bd37d2eb0b234aa92cf029a74158048acbf315dfbed4a182c669baef6ff4b83cb34fb855
-
SSDEEP
24576:kNEIrnsALyscY1oqAacVonPHke5gEgKjwnS:kNE4nsAescPqAacVekV1KjwnS
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1332 c40ff7d4fbae3ba144f8739f7a7c2035.exe -
Executes dropped EXE 1 IoCs
pid Process 1332 c40ff7d4fbae3ba144f8739f7a7c2035.exe -
resource yara_rule behavioral2/memory/1020-0-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral2/memory/1332-13-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral2/files/0x000400000002271f-12.dat upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 28 pastebin.com -
Program crash 8 IoCs
pid pid_target Process procid_target 1860 1332 WerFault.exe 98 1944 1332 WerFault.exe 98 4440 1332 WerFault.exe 98 2980 1332 WerFault.exe 98 1904 1332 WerFault.exe 98 1940 1332 WerFault.exe 98 1940 1332 WerFault.exe 98 4976 1332 WerFault.exe 98 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1088 schtasks.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1020 c40ff7d4fbae3ba144f8739f7a7c2035.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1020 c40ff7d4fbae3ba144f8739f7a7c2035.exe 1332 c40ff7d4fbae3ba144f8739f7a7c2035.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1020 wrote to memory of 1332 1020 c40ff7d4fbae3ba144f8739f7a7c2035.exe 98 PID 1020 wrote to memory of 1332 1020 c40ff7d4fbae3ba144f8739f7a7c2035.exe 98 PID 1020 wrote to memory of 1332 1020 c40ff7d4fbae3ba144f8739f7a7c2035.exe 98 PID 1332 wrote to memory of 1088 1332 c40ff7d4fbae3ba144f8739f7a7c2035.exe 99 PID 1332 wrote to memory of 1088 1332 c40ff7d4fbae3ba144f8739f7a7c2035.exe 99 PID 1332 wrote to memory of 1088 1332 c40ff7d4fbae3ba144f8739f7a7c2035.exe 99 PID 1332 wrote to memory of 4792 1332 c40ff7d4fbae3ba144f8739f7a7c2035.exe 101 PID 1332 wrote to memory of 4792 1332 c40ff7d4fbae3ba144f8739f7a7c2035.exe 101 PID 1332 wrote to memory of 4792 1332 c40ff7d4fbae3ba144f8739f7a7c2035.exe 101 PID 4792 wrote to memory of 624 4792 cmd.exe 103 PID 4792 wrote to memory of 624 4792 cmd.exe 103 PID 4792 wrote to memory of 624 4792 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c40ff7d4fbae3ba144f8739f7a7c2035.exe"C:\Users\Admin\AppData\Local\Temp\c40ff7d4fbae3ba144f8739f7a7c2035.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\c40ff7d4fbae3ba144f8739f7a7c2035.exeC:\Users\Admin\AppData\Local\Temp\c40ff7d4fbae3ba144f8739f7a7c2035.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\c40ff7d4fbae3ba144f8739f7a7c2035.exe" /TN v3dGbWFyc353 /F3⤵
- Creates scheduled task(s)
PID:1088
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks.exe /Query /XML /TN v3dGbWFyc353 > C:\Users\Admin\AppData\Local\Temp\eDip5G.xml3⤵
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Query /XML /TN v3dGbWFyc3534⤵PID:624
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 6083⤵
- Program crash
PID:1860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 6043⤵
- Program crash
PID:1944
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 6083⤵
- Program crash
PID:4440
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 7403⤵
- Program crash
PID:2980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 7363⤵
- Program crash
PID:1904
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 7923⤵
- Program crash
PID:1940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 12883⤵
- Program crash
PID:1940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 7243⤵
- Program crash
PID:4976
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1332 -ip 13321⤵PID:2220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1332 -ip 13321⤵PID:3012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1332 -ip 13321⤵PID:3464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1332 -ip 13321⤵PID:820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1332 -ip 13321⤵PID:2892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1332 -ip 13321⤵PID:4508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1332 -ip 13321⤵PID:3812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:2648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1332 -ip 13321⤵PID:2676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1003KB
MD5f26ad825200c32916c3a1c835f8fb7ed
SHA1b5a625b5ab49de5678f4c61e696e85fc7403d47e
SHA256647d20eb16c62c5901cc89d865516c572c37ec8c759882ed71f91a176c3d28e1
SHA512de95d0faf69cd15c0c0a50b84129ed97f18c6c37b06451e72fb713ededc483e527a711100b445f26738d96528768460825bff660f85ae1c91f3ea21aa4eb3fc5
-
Filesize
1KB
MD5e33699ed28f98c97de9ec0f26a3a947e
SHA150830632aff1540ca6be3b46bce3fa27201d475a
SHA25631a9f0abb5cc82a0b0c0dc71a189118ea267ead01cdf7927fc88e1c5245e1ae4
SHA512e676c1015e1732fc3bc9b0136020939366c6c63761196712d5dcb8ed89b2899c46d7a2d2e9c69adfaba71062ff0f96992fb37a454b535e1a93925e2092a39326