Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 09:28
Static task
static1
Behavioral task
behavioral1
Sample
cdb2f7f11d89ab88c946a8d397e407fc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cdb2f7f11d89ab88c946a8d397e407fc.exe
Resource
win10v2004-20240226-en
General
-
Target
cdb2f7f11d89ab88c946a8d397e407fc.exe
-
Size
107KB
-
MD5
cdb2f7f11d89ab88c946a8d397e407fc
-
SHA1
1d297b6b99a50ea82940f483a928eba0102bf9f4
-
SHA256
fcf93ce4aaa45840be7dd57b5bbfc8c12f376ca7246721c52937276e72dd2745
-
SHA512
67b33dcc0236aa91b261a7999772f34339b2f2442aae13f40287033294a6b29d4aa399803f0507d95b05ff80556c8c372c74c633080254883be4327003f4a392
-
SSDEEP
3072:fBMzWD3JGi0DEtkbEriMzA8Vd42xfWcQ:pMw5+gtkYriMc8VdOcQ
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 4940 4740 WerFault.exe 88 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 3468 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2188 wrote to memory of 4740 2188 cdb2f7f11d89ab88c946a8d397e407fc.exe 88 PID 2188 wrote to memory of 4740 2188 cdb2f7f11d89ab88c946a8d397e407fc.exe 88 PID 2188 wrote to memory of 4740 2188 cdb2f7f11d89ab88c946a8d397e407fc.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdb2f7f11d89ab88c946a8d397e407fc.exe"C:\Users\Admin\AppData\Local\Temp\cdb2f7f11d89ab88c946a8d397e407fc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\cdb2f7f11d89ab88c946a8d397e407fc.exe"C:\Users\Admin\AppData\Local\Temp\cdb2f7f11d89ab88c946a8d397e407fc.exe" q2⤵PID:4740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 8203⤵
- Program crash
PID:4940
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4740 -ip 47401⤵PID:3712
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3084
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3468
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD54c88d7da5727c82eb3b0e0d9203544d3
SHA113b6b11e22661836d1b5c61211b90baf5bec5d5a
SHA256f3b0a919562b72551b53231df86170fa529a14698c33dd79c1b520381e2be41b
SHA51205e179249c68a405a1d7d504e4369d75d6e2f8d52716dc7a4f2c9b886418bb1f6f1833db10d8d7b0b5b1891ef928f61102840103ccb2d1f7aa4553a3e2e7278f