Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2024, 16:05
Static task
static1
Behavioral task
behavioral1
Sample
f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe
Resource
win10v2004-20240508-en
General
-
Target
f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe
-
Size
1.2MB
-
MD5
9555aa1cba77c0332e4bcf39ea18a930
-
SHA1
0679fa343ecb23b46d69f5f4f61002889e7ca0c4
-
SHA256
a0696896c6b3f84b2d710b79ead538740b4ff55169a18699e96713418d8e3625
-
SHA512
8729ccb561044645799d4ae4f412a2b096ea8934c0b3b3cbed215385fb8f9437bad6c334e70ddbbde05047ac30781dd3a8eb98f4f540404c8591d94da48d4aa7
-
SSDEEP
24576:xAHnh+eWsN3skA4RV1Hom2KXcmtcVaeJNFDie74NNdg9tj5:Ih+ZkldoPKsacVtDiY4Nzg9X
Malware Config
Signatures
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1760-0-0x0000000000B20000-0x0000000000C50000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1760 set thread context of 2960 1760 f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe 81 -
Program crash 1 IoCs
pid pid_target Process procid_target 888 2960 WerFault.exe 81 -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1760 f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe 1760 f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1760 f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe 1760 f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1760 f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe 1760 f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1760 wrote to memory of 2960 1760 f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe 81 PID 1760 wrote to memory of 2960 1760 f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe 81 PID 1760 wrote to memory of 2960 1760 f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe 81 PID 1760 wrote to memory of 2960 1760 f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe"C:\Users\Admin\AppData\Local\Temp\f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\f310dd81d3c2274dc41b3799af4957d9c84cd614a0917d80f197e84a2bd8753d.exe"2⤵PID:2960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1923⤵
- Program crash
PID:888
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2960 -ip 29601⤵PID:1280
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
267KB
MD5c1c78127a9ec11cc46379a5e6d35e398
SHA17635a64b44e9a2764024992628449c1b1acf0e62
SHA2566b24876b6737a1347c0e46c948e14d65f69f42fe90d303353f2dc68a28b6b031
SHA5122cdea68d9f8c6be369f3a1f3c028989ac604bd95f4b58422dbfff128d13c2832b5395cc3026b4fb0535df7d95684bc9d14e637b705827f856cc7bbc6b8f479d3