Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 13:48
Static task
static1
Behavioral task
behavioral1
Sample
NFQ24-0420(R1).exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
NFQ24-0420(R1).exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
cafeteaterets.dot
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
cafeteaterets.dot
Resource
win10v2004-20240709-en
General
-
Target
NFQ24-0420(R1).exe
-
Size
422KB
-
MD5
72f5d261c15af3b18c99b7121956e358
-
SHA1
a3c152f7be3f808afec47c1b7a904e41fd399be0
-
SHA256
5c48fc65228bbeca2ecfebfbe9cb28e5edec4c54c4f0d4adb982d7773752bd78
-
SHA512
d126abc88ad7ba131de9b86b07dec2b5d516fe439705e23c725dc40add0d9d4399f8cc826795ee0fa1d702174100ab783fa6c462e13b5bc7ee68fa14e89fed51
-
SSDEEP
12288:R0gxaoHhKpbm9nGm+6kwLyzPlFjwaFEs5KidrpHN8G:raeIsR2FjXxK8rb8G
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 3328 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2240 3328 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3328 powershell.exe 3328 powershell.exe 3328 powershell.exe 3328 powershell.exe 3328 powershell.exe 3328 powershell.exe 3328 powershell.exe 3328 powershell.exe 3328 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3328 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3236 wrote to memory of 3328 3236 NFQ24-0420(R1).exe 89 PID 3236 wrote to memory of 3328 3236 NFQ24-0420(R1).exe 89 PID 3236 wrote to memory of 3328 3236 NFQ24-0420(R1).exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\NFQ24-0420(R1).exe"C:\Users\Admin\AppData\Local\Temp\NFQ24-0420(R1).exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Overflytternes=Get-Content 'C:\Users\Admin\AppData\Local\samplings\Fouriertransformeredes152\magmaens\Navet.Omi';$Std=$Overflytternes.SubString(4496,3);.$Std($Overflytternes)2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 25963⤵
- Program crash
PID:2240
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3328 -ip 33281⤵PID:3060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
68KB
MD52d5d8871b19f23d9e6defc1b5f30320c
SHA1bd991d0b8e746c566e155328f4355e9c6b8ccb95
SHA256d7bad07ee7791c8309be96b4e12f51a5bc4f88e4e9e3cf145548be9e5a8ad9ef
SHA5125a79a7bc4c91014130688b544e3f50c8ee9c742987c1648b4eacc9ede7016b392d1bc2362aff54b1da7d7b54a0f2420d5929d7b6863b2b19cbd8d7fa92874959