Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

c86d4db3a6...29.exe

windows7-x64

7

c86d4db3a6...29.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/03/2024, 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c86d4db3a672a96e52bab96dba944e29.exe

  • Size

    316KB

  • MD5

    c86d4db3a672a96e52bab96dba944e29

  • SHA1

    7aa861b53decaee20ef1ca793056f4857e883439

  • SHA256

    6b9f880c9522c934e059d4403d8dfd699f3b8be275a342b3b96675de1f87c671

  • SHA512

    f20342f41fc9e9c7717e3ae5401c5212091d4df9e02c645d01c88fe051f7cfc15e81c96627d55d97a37d1a2de0572860eabd48ae0eb84c43b67c112e5246d79f

  • SSDEEP

    6144:8Rae4PuyhfpILvis7kA4vryAAuSSTVsK2Kf5Urd:maeODFwis7kAwxVT2Ki

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c86d4db3a672a96e52bab96dba944e29.exe
    "C:\Users\Admin\AppData\Local\Temp\c86d4db3a672a96e52bab96dba944e29.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3408
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 500
      2⤵
      • Program crash
      PID:3024
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 3408 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\c86d4db3a672a96e52bab96dba944e29.exe" & start C:\Users\Admin\AppData\Local\dobmmg.exe -f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4876
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /pid 3408
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1004
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 3 127.1
        3⤵
        • Runs ping.exe
        PID:3468
      • C:\Users\Admin\AppData\Local\dobmmg.exe
        C:\Users\Admin\AppData\Local\dobmmg.exe -f
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4380
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 428
          4⤵
          • Program crash
          PID:2080
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3408 -ip 3408
    1⤵
      PID:312
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4380 -ip 4380
      1⤵
        PID:1664

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\dobmmg.exe
        Filesize

        316KB

        MD5

        c86d4db3a672a96e52bab96dba944e29

        SHA1

        7aa861b53decaee20ef1ca793056f4857e883439

        SHA256

        6b9f880c9522c934e059d4403d8dfd699f3b8be275a342b3b96675de1f87c671

        SHA512

        f20342f41fc9e9c7717e3ae5401c5212091d4df9e02c645d01c88fe051f7cfc15e81c96627d55d97a37d1a2de0572860eabd48ae0eb84c43b67c112e5246d79f

        Download Submit

      • memory/3408-0-0x00000000005A0000-0x00000000005A2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3408-1-0x0000000001000000-0x00000000010B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/3408-2-0x0000000000590000-0x0000000000592000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3408-4-0x0000000001000000-0x00000000010B4000-memory.dmp

        Filesize

        720KB

        Download

      • memory/4380-8-0x0000000000520000-0x0000000000522000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4380-10-0x0000000001000000-0x00000000010B4000-memory.dmp

        Filesize

        720KB

        Download