Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08/07/2024, 05:08
Static task
static1
Behavioral task
behavioral1
Sample
dad907fbf382325926fd527538a2bfd2ab8da73e0233bdd0d892bdfba4f1ebd1.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
dad907fbf382325926fd527538a2bfd2ab8da73e0233bdd0d892bdfba4f1ebd1.exe
Resource
win10v2004-20240704-en
General
-
Target
dad907fbf382325926fd527538a2bfd2ab8da73e0233bdd0d892bdfba4f1ebd1.exe
-
Size
384KB
-
MD5
6615db16d23a9f03855084465518a8bb
-
SHA1
4076bb32a0f2388b79298ab7da9796dda301dbe8
-
SHA256
dad907fbf382325926fd527538a2bfd2ab8da73e0233bdd0d892bdfba4f1ebd1
-
SHA512
edef05624db13b2dbbdecd0c5857a5c53c18bcdb63d555caa684388d5ef2cff3429ba2a312c121f128a4bb8d26fd36406e0bf4547a5fc92ec128c09dac755d90
-
SSDEEP
12288:w64Ja/GE6goTVtdW/sEzrWtHOw0iFauY/B/dc:8JIGlVtdW/sEzrWtHOw0iFauY/B/dc
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2248 dad907fbf382325926fd527538a2bfd2ab8da73e0233bdd0d892bdfba4f1ebd1.exe -
Executes dropped EXE 1 IoCs
pid Process 2248 dad907fbf382325926fd527538a2bfd2ab8da73e0233bdd0d892bdfba4f1ebd1.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3184 4472 WerFault.exe 81 1908 2248 WerFault.exe 89 -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4472 dad907fbf382325926fd527538a2bfd2ab8da73e0233bdd0d892bdfba4f1ebd1.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2248 dad907fbf382325926fd527538a2bfd2ab8da73e0233bdd0d892bdfba4f1ebd1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4472 wrote to memory of 2248 4472 dad907fbf382325926fd527538a2bfd2ab8da73e0233bdd0d892bdfba4f1ebd1.exe 89 PID 4472 wrote to memory of 2248 4472 dad907fbf382325926fd527538a2bfd2ab8da73e0233bdd0d892bdfba4f1ebd1.exe 89 PID 4472 wrote to memory of 2248 4472 dad907fbf382325926fd527538a2bfd2ab8da73e0233bdd0d892bdfba4f1ebd1.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\dad907fbf382325926fd527538a2bfd2ab8da73e0233bdd0d892bdfba4f1ebd1.exe"C:\Users\Admin\AppData\Local\Temp\dad907fbf382325926fd527538a2bfd2ab8da73e0233bdd0d892bdfba4f1ebd1.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 3962⤵
- Program crash
PID:3184
-
-
C:\Users\Admin\AppData\Local\Temp\dad907fbf382325926fd527538a2bfd2ab8da73e0233bdd0d892bdfba4f1ebd1.exeC:\Users\Admin\AppData\Local\Temp\dad907fbf382325926fd527538a2bfd2ab8da73e0233bdd0d892bdfba4f1ebd1.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2248 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 3643⤵
- Program crash
PID:1908
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4472 -ip 44721⤵PID:4556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2248 -ip 22481⤵PID:4752
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dad907fbf382325926fd527538a2bfd2ab8da73e0233bdd0d892bdfba4f1ebd1.exe
Filesize384KB
MD5dfc960767a7a514ce8f10be8ebe1fcd5
SHA16e312632ddf30d0636e190561ddb10d784b310f4
SHA25653a2920419d0617a372e323de8f872ce18da2aec7fe01e77c45295388bce749f
SHA5129fe7e8c9bf7fffb795a1b45aed0d2a71a4d8896d8f3b7fe824175dc5ab6f0f2291fe95d40069799a110719d2c07bba19753baf787fb07ce03c32858683f3813b