Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 05:07
Static task
static1
Behavioral task
behavioral1
Sample
eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe
Resource
win10v2004-20240508-en
General
-
Target
eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe
-
Size
6.0MB
-
MD5
0fb3ae0390e1b3d5d6358efae6e05f79
-
SHA1
c151bbb8038a0c0f18ee471df262695a99ab9130
-
SHA256
eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be
-
SHA512
a189e09b796bad7214d35a44f1b296a5d6baebf989cc299fd824166d63379ea4ef3babf85c988e092d5452d71fae4d09495f4304e298443a0d9c4f74632b6e4c
-
SSDEEP
98304:ITd4StTO/3oFMPaRatFzjKo93LU+cqT/yEBv8B4rYfvtZNTzDByf18:IR4FgMPaR4ljKo9wjqT/yom4r6FzcfC
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2740 wmpscfgs.exe 2380 wmpscfgs.exe -
Loads dropped DLL 12 IoCs
pid Process 1728 eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe 1728 eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe 1728 eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe 1728 eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe 2824 WerFault.exe 2824 WerFault.exe 2824 WerFault.exe 2812 WerFault.exe 2812 WerFault.exe 2812 WerFault.exe 2824 WerFault.exe 2812 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe" eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created \??\c:\program files (x86)\microsoft office\office14\bcssync.exe eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe File created \??\c:\program files (x86)\adobe\acrotray .exe eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe File created \??\c:\program files (x86)\adobe\acrotray.exe eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe File created \??\c:\program files (x86)\internet explorer\wmpscfgs.exe eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2824 2740 WerFault.exe 29 2812 2380 WerFault.exe 28 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1728 eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe 1728 eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe 2740 wmpscfgs.exe 2380 wmpscfgs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1728 eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2380 1728 eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe 28 PID 1728 wrote to memory of 2380 1728 eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe 28 PID 1728 wrote to memory of 2380 1728 eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe 28 PID 1728 wrote to memory of 2380 1728 eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe 28 PID 1728 wrote to memory of 2740 1728 eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe 29 PID 1728 wrote to memory of 2740 1728 eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe 29 PID 1728 wrote to memory of 2740 1728 eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe 29 PID 1728 wrote to memory of 2740 1728 eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe 29 PID 2740 wrote to memory of 2824 2740 wmpscfgs.exe 30 PID 2740 wrote to memory of 2824 2740 wmpscfgs.exe 30 PID 2740 wrote to memory of 2824 2740 wmpscfgs.exe 30 PID 2740 wrote to memory of 2824 2740 wmpscfgs.exe 30 PID 2380 wrote to memory of 2812 2380 wmpscfgs.exe 31 PID 2380 wrote to memory of 2812 2380 wmpscfgs.exe 31 PID 2380 wrote to memory of 2812 2380 wmpscfgs.exe 31 PID 2380 wrote to memory of 2812 2380 wmpscfgs.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe"C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\users\admin\appdata\local\temp\wmpscfgs.exec:\users\admin\appdata\local\temp\\wmpscfgs.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 883⤵
- Loads dropped DLL
- Program crash
PID:2812
-
-
-
C:\Program Files (x86)\Internet Explorer\wmpscfgs.exeC:\Program Files (x86)\Internet Explorer\wmpscfgs.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 883⤵
- Loads dropped DLL
- Program crash
PID:2824
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.0MB
MD53a7c4f50ac6b9a6e068d4027c1c01bcf
SHA17101750d25a06dee2dc9f6acadee7ee94a8ae4aa
SHA256560ed83cdc04c8b6e6dcd468f81c3576f4d24c7bcb6bfe31328aab3f6bee91c0
SHA512f0a7b6559aa74f71500045ef742cc4dbb8057bca264bbeb599def9035328d772082a90fd036d6b4f5c8cd9691f95b2de5d980b350bd449a1e134d0af2dfd3dd3
-
Filesize
6.0MB
MD53b5a31b20d94b2292b1227ed4de902e4
SHA1055b0896c51e94d2e7f5cd0ca181bab42778d12e
SHA25652438b29ebae01cb11c6578fc3d0c00599b14490a7f5f155bd839ef5722a62e8
SHA512d92e6b22c8adca04d8bb446e3659e70fa000147250c028c8c3842bc4fc9b206fe35f1364fdfc6880f6989db2cffe407fa755db2bb52770b8c7c9aa9b178aa85b