Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 14:07
Static task
static1
Behavioral task
behavioral1
Sample
dscomprovante.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
dscomprovante.exe
Resource
win10v2004-20240709-en
General
-
Target
dscomprovante.exe
-
Size
54KB
-
MD5
19186a7f0b1ef0e9f3bae129c17826cc
-
SHA1
dcdc63d1c2aa295616d355b55ac4827513bcadae
-
SHA256
beac1d50834328f098a2b051240923ac4652f5a75596d8ad537fa3ff5d45c8e1
-
SHA512
00414d01810015af66f54cacb21fc4b4f1c86f8328c1233484f304a7bbacd0fd029ea58b474effe3c861ccaa2f4edbaa04f4bc88222905f015782a230ee135e7
-
SSDEEP
1536:Y1qTXQOp6eGSC9ygcKrqnsFBjjsY7MZn1Q1Bx:dzp6euZcKusDjjsAMZn1Qx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2016 crfrs.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1932 wrote to memory of 1840 1932 dscomprovante.exe 84 PID 1932 wrote to memory of 1840 1932 dscomprovante.exe 84 PID 1932 wrote to memory of 1840 1932 dscomprovante.exe 84 PID 1932 wrote to memory of 3260 1932 dscomprovante.exe 89 PID 1932 wrote to memory of 3260 1932 dscomprovante.exe 89 PID 1932 wrote to memory of 3260 1932 dscomprovante.exe 89 PID 3260 wrote to memory of 2016 3260 CMD.exe 91 PID 3260 wrote to memory of 2016 3260 CMD.exe 91 PID 3260 wrote to memory of 2016 3260 CMD.exe 91 PID 2016 wrote to memory of 2704 2016 crfrs.exe 92 PID 2016 wrote to memory of 2704 2016 crfrs.exe 92 PID 2016 wrote to memory of 2704 2016 crfrs.exe 92 PID 2016 wrote to memory of 2412 2016 crfrs.exe 94 PID 2016 wrote to memory of 2412 2016 crfrs.exe 94 PID 2016 wrote to memory of 2412 2016 crfrs.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\dscomprovante.exe"C:\Users\Admin\AppData\Local\Temp\dscomprovante.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\CMD.exeCMD /C Copy C:\Users\Admin\AppData\Local\Temp\DSCOMP~1.EXE C:\Users\Admin\AppData\Local\Temp\crfrs.exe2⤵PID:1840
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C Start C:\Users\Admin\AppData\Local\Temp\crfrs.exe -start2⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\crfrs.exeC:\Users\Admin\AppData\Local\Temp\crfrs.exe -start3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\CMD.exeCMD /C Start C:\Users\Admin\AppData\Local\3H5FAF~1\router1.exe -start4⤵PID:2704
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C Start C:\Users\Admin\AppData\Local\3H5FAF~1\nicha2.exe -start4⤵PID:2412
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59b6419564e2517bca5c02656ee34428a
SHA182fa924ab283fdced730a5a01980bc16038a4ebc
SHA2567c3062f4433da04b86fb2a95156b3598d5e9e030494f9956755dcff563579a4a
SHA5125d95f22c06e9685f3728cad4aec555c002e5ccffb9bead9930b77f852c996c2eb97f33f569950271393fdadb2e84e469ccf995e4743b0d5f6512741be9c2366b
-
Filesize
54KB
MD519186a7f0b1ef0e9f3bae129c17826cc
SHA1dcdc63d1c2aa295616d355b55ac4827513bcadae
SHA256beac1d50834328f098a2b051240923ac4652f5a75596d8ad537fa3ff5d45c8e1
SHA51200414d01810015af66f54cacb21fc4b4f1c86f8328c1233484f304a7bbacd0fd029ea58b474effe3c861ccaa2f4edbaa04f4bc88222905f015782a230ee135e7