Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01/08/2024, 23:01
Static task
static1
Behavioral task
behavioral1
Sample
4af1cc58f206c4a1e33414af6432658aea63a386b880ab94e2378d61672d2161.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4af1cc58f206c4a1e33414af6432658aea63a386b880ab94e2378d61672d2161.exe
Resource
win10v2004-20240730-en
General
-
Target
4af1cc58f206c4a1e33414af6432658aea63a386b880ab94e2378d61672d2161.exe
-
Size
268KB
-
MD5
1ead972466f15a5eae64d8258bc41cd7
-
SHA1
c821fc6c3c0c287529a06a60663b40ae57a9c32b
-
SHA256
4af1cc58f206c4a1e33414af6432658aea63a386b880ab94e2378d61672d2161
-
SHA512
734aa91cbb7914ab45a71bb3ed0cb5c62381c789b3f07df2af88e6b0e9d4753a3e52104a4152c31eb10f2d33514117a60aa62f0120f3b9c5e797eca8be219483
-
SSDEEP
3072:S1TCHpjfE14VAsIU7wj3Q0qFgsTc75TncCRrjDh1t4y4SEbyHi9gMU:GT0FrH0j3QFM5b9jDHtESEbyH
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4380 4af1cc58f206c4a1e33414af6432658aea63a386b880ab94e2378d61672d2161.exe -
Executes dropped EXE 1 IoCs
pid Process 4380 4af1cc58f206c4a1e33414af6432658aea63a386b880ab94e2378d61672d2161.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3520 620 WerFault.exe 82 1652 4380 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4af1cc58f206c4a1e33414af6432658aea63a386b880ab94e2378d61672d2161.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 620 4af1cc58f206c4a1e33414af6432658aea63a386b880ab94e2378d61672d2161.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 4380 4af1cc58f206c4a1e33414af6432658aea63a386b880ab94e2378d61672d2161.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 620 wrote to memory of 4380 620 4af1cc58f206c4a1e33414af6432658aea63a386b880ab94e2378d61672d2161.exe 90 PID 620 wrote to memory of 4380 620 4af1cc58f206c4a1e33414af6432658aea63a386b880ab94e2378d61672d2161.exe 90 PID 620 wrote to memory of 4380 620 4af1cc58f206c4a1e33414af6432658aea63a386b880ab94e2378d61672d2161.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\4af1cc58f206c4a1e33414af6432658aea63a386b880ab94e2378d61672d2161.exe"C:\Users\Admin\AppData\Local\Temp\4af1cc58f206c4a1e33414af6432658aea63a386b880ab94e2378d61672d2161.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 3962⤵
- Program crash
PID:3520
-
-
C:\Users\Admin\AppData\Local\Temp\4af1cc58f206c4a1e33414af6432658aea63a386b880ab94e2378d61672d2161.exeC:\Users\Admin\AppData\Local\Temp\4af1cc58f206c4a1e33414af6432658aea63a386b880ab94e2378d61672d2161.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 3643⤵
- Program crash
PID:1652
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 620 -ip 6201⤵PID:1424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4380 -ip 43801⤵PID:4996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4af1cc58f206c4a1e33414af6432658aea63a386b880ab94e2378d61672d2161.exe
Filesize268KB
MD52fdf79ea7a2273111b53ab9944090432
SHA166d6b30e8cf5b39e07ff5c365cbb6785f222b324
SHA256fca1b286703a014aac66ac1cb2bddd285561f1d2d2363a123670899b106a3dac
SHA512b251cbbf0c0e8525439d070e5e383689895a55bef7e22645989bedb8fdda18ac970267b9c99bfb1d9097963ce491df818925dc21fa1e2099a6234c591126e2ce