Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

d779c777a2...c4.exe

windows7-x64

7

d779c777a2...c4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/03/2024, 00:37 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d779c777a29f9250ff00ecbdc765c4c4.exe

  • Size

    380KB

  • MD5

    d779c777a29f9250ff00ecbdc765c4c4

  • SHA1

    8dfec79231cc8dcd8d310aac935eb00f396a2a35

  • SHA256

    ecd638f701bf62044f91a3179b4f1381c1195e053e976cdc29b4a89d625f30dd

  • SHA512

    b89889227782aec04df8080f2afb7aac3ab6badd1eb8c572df1f12503cc17f6cf931da403e878ac5b8f85daf54ed958952d614fdfe4f1162d51c51540da7fea4

  • SSDEEP

    6144:sAoHZ+azbYMVsx/PaRs+4FEUqs6PbcFMRJ8lMuSM+gnktWx9Xxao/Lf:lotoMSPakAPbcgJpMdnwgXxawL

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 13 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d779c777a29f9250ff00ecbdc765c4c4.exe
    "C:\Users\Admin\AppData\Local\Temp\d779c777a29f9250ff00ecbdc765c4c4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 588
      2⤵
      • Program crash
      PID:1068
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 600
      2⤵
      • Program crash
      PID:4892
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 776
      2⤵
      • Program crash
      PID:4192
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 872
      2⤵
      • Program crash
      PID:3564
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1052
      2⤵
      • Program crash
      PID:3008
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1068
      2⤵
      • Program crash
      PID:4884
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1108
      2⤵
      • Program crash
      PID:4284
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1068
      2⤵
      • Program crash
      PID:2492
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2808 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\d779c777a29f9250ff00ecbdc765c4c4.exe" & start C:\Users\Admin\AppData\Local\ICBASM~1.EXE -f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4440
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /pid 2808
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:704
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 3 127.1
        3⤵
        • Runs ping.exe
        PID:4552
      • C:\Users\Admin\AppData\Local\icbasmyfv.exe
        C:\Users\Admin\AppData\Local\ICBASM~1.EXE -f
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3392
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 636
          4⤵
          • Program crash
          PID:4176
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 800
          4⤵
          • Program crash
          PID:1032
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 820
          4⤵
          • Program crash
          PID:2612
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 804
          4⤵
          • Program crash
          PID:3608
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 972
      2⤵
      • Program crash
      PID:4756
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2808 -ip 2808
    1⤵
      PID:4848
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2808 -ip 2808
      1⤵
        PID:3180
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2808 -ip 2808
        1⤵
          PID:4020
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2808 -ip 2808
          1⤵
            PID:1920
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2808 -ip 2808
            1⤵
              PID:1448
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2808 -ip 2808
              1⤵
                PID:796
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2808 -ip 2808
                1⤵
                  PID:2260
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2808 -ip 2808
                  1⤵
                    PID:4508
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2808 -ip 2808
                    1⤵
                      PID:1116
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3392 -ip 3392
                      1⤵
                        PID:3520
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3392 -ip 3392
                        1⤵
                          PID:1920
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3392 -ip 3392
                          1⤵
                            PID:2532
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3232 --field-trial-handle=3408,i,16599691418790971742,134777455365707676,262144 --variations-seed-version /prefetch:8
                            1⤵
                              PID:1788
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3392 -ip 3392
                              1⤵
                                PID:2324

                              Network

                              • flag-us
                                DNS
                                41.110.16.96.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                41.110.16.96.in-addr.arpa
                                IN PTR
                                Response
                                41.110.16.96.in-addr.arpa
                                IN PTR
                                a96-16-110-41deploystaticakamaitechnologiescom
                              • flag-us
                                DNS
                                41.110.16.96.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                41.110.16.96.in-addr.arpa
                                IN PTR
                              • flag-us
                                DNS
                                68.32.126.40.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                68.32.126.40.in-addr.arpa
                                IN PTR
                                Response
                              • flag-us
                                DNS
                                43.58.199.20.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                43.58.199.20.in-addr.arpa
                                IN PTR
                                Response
                              • flag-us
                                DNS
                                241.154.82.20.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                241.154.82.20.in-addr.arpa
                                IN PTR
                                Response
                              • flag-us
                                DNS
                                241.154.82.20.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                241.154.82.20.in-addr.arpa
                                IN PTR
                              • flag-us
                                DNS
                                194.178.17.96.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                194.178.17.96.in-addr.arpa
                                IN PTR
                                Response
                                194.178.17.96.in-addr.arpa
                                IN PTR
                                a96-17-178-194deploystaticakamaitechnologiescom
                              • flag-us
                                DNS
                                29.243.111.52.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                29.243.111.52.in-addr.arpa
                                IN PTR
                                Response
                              • flag-us
                                DNS
                                91.16.208.104.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                91.16.208.104.in-addr.arpa
                                IN PTR
                                Response
                              • flag-us
                                DNS
                                91.16.208.104.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                91.16.208.104.in-addr.arpa
                                IN PTR
                              • 13.105.221.15:443
                                46 B
                                 40 B
                                 1
                                1
                              • 142.251.36.42:443
                                46 B
                                 40 B
                                 1
                                1
                              • 8.8.8.8:53
                                41.110.16.96.in-addr.arpa
                                dns
                                142 B
                                 135 B
                                 2
                                1

                                DNS Request

                                41.110.16.96.in-addr.arpa

                                DNS Request

                                41.110.16.96.in-addr.arpa

                              • 8.8.8.8:53
                                68.32.126.40.in-addr.arpa
                                dns
                                71 B
                                 157 B
                                 1
                                1

                                DNS Request

                                68.32.126.40.in-addr.arpa

                              • 8.8.8.8:53
                                43.58.199.20.in-addr.arpa
                                dns
                                71 B
                                 157 B
                                 1
                                1

                                DNS Request

                                43.58.199.20.in-addr.arpa

                              • 8.8.8.8:53
                                241.154.82.20.in-addr.arpa
                                dns
                                144 B
                                 158 B
                                 2
                                1

                                DNS Request

                                241.154.82.20.in-addr.arpa

                                DNS Request

                                241.154.82.20.in-addr.arpa

                              • 8.8.8.8:53
                                194.178.17.96.in-addr.arpa
                                dns
                                72 B
                                 137 B
                                 1
                                1

                                DNS Request

                                194.178.17.96.in-addr.arpa

                              • 8.8.8.8:53
                                29.243.111.52.in-addr.arpa
                                dns
                                72 B
                                 158 B
                                 1
                                1

                                DNS Request

                                29.243.111.52.in-addr.arpa

                              • 8.8.8.8:53
                                91.16.208.104.in-addr.arpa
                                dns
                                144 B
                                 146 B
                                 2
                                1

                                DNS Request

                                91.16.208.104.in-addr.arpa

                                DNS Request

                                91.16.208.104.in-addr.arpa

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\icbasmyfv.exe
                                Filesize

                                380KB

                                MD5

                                d779c777a29f9250ff00ecbdc765c4c4

                                SHA1

                                8dfec79231cc8dcd8d310aac935eb00f396a2a35

                                SHA256

                                ecd638f701bf62044f91a3179b4f1381c1195e053e976cdc29b4a89d625f30dd

                                SHA512

                                b89889227782aec04df8080f2afb7aac3ab6badd1eb8c572df1f12503cc17f6cf931da403e878ac5b8f85daf54ed958952d614fdfe4f1162d51c51540da7fea4

                                Download Submit

                              • memory/2808-9-0x0000000000D80000-0x0000000000DC2000-memory.dmp

                                Filesize

                                264KB

                                Download

                              • memory/2808-1-0x0000000000D80000-0x0000000000DC2000-memory.dmp

                                Filesize

                                264KB

                                Download

                              • memory/2808-3-0x0000000001000000-0x000000000109D000-memory.dmp

                                Filesize

                                628KB

                                Download

                              • memory/2808-4-0x0000000001000000-0x000000000109D000-memory.dmp

                                Filesize

                                628KB

                                Download

                              • memory/2808-5-0x0000000000E10000-0x0000000000E12000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/2808-6-0x0000000001000000-0x000000000109D000-memory.dmp

                                Filesize

                                628KB

                                Download

                              • memory/2808-8-0x0000000001000000-0x000000000109D000-memory.dmp

                                Filesize

                                628KB

                                Download

                              • memory/2808-0-0x0000000001000000-0x000000000109D000-memory.dmp

                                Filesize

                                628KB

                                Download

                              • memory/2808-2-0x00000000006D0000-0x00000000006D1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3392-14-0x0000000001000000-0x000000000109D000-memory.dmp

                                Filesize

                                628KB

                                Download

                              • memory/3392-16-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3392-18-0x0000000000D90000-0x0000000000E2D000-memory.dmp

                                Filesize

                                628KB

                                Download

                              • memory/3392-15-0x0000000000CE0000-0x0000000000CE2000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/3392-13-0x0000000000520000-0x0000000000562000-memory.dmp

                                Filesize

                                264KB

                                Download

                              • memory/3392-19-0x0000000001000000-0x000000000109D000-memory.dmp

                                Filesize

                                628KB

                                Download

                              • memory/3392-21-0x0000000000520000-0x0000000000562000-memory.dmp

                                Filesize

                                264KB

                                Download

                              • memory/3392-24-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              We care about your privacy.

                              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.