Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
124s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 03:54
Static task
static1
Behavioral task
behavioral1
Sample
b0d851f3b0ba382c27164948901a0b95546df01e3d629a0e9f8a82afeb7ae947.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b0d851f3b0ba382c27164948901a0b95546df01e3d629a0e9f8a82afeb7ae947.exe
Resource
win10v2004-20240730-en
General
-
Target
b0d851f3b0ba382c27164948901a0b95546df01e3d629a0e9f8a82afeb7ae947.exe
-
Size
448KB
-
MD5
206a0c4bd34acd2d7ac4f925145e2828
-
SHA1
32d37b30b60a3b719abb2c469cc0ab49a08c6b76
-
SHA256
b0d851f3b0ba382c27164948901a0b95546df01e3d629a0e9f8a82afeb7ae947
-
SHA512
9b95c50ec96322883d53173981035819c6d406145167214bf8e941e37db906d2d9e50aee7626b5e47d167c835e464c52a85abe7f843b62aa75ae239103e131ae
-
SSDEEP
12288:i9hPT29NbyozCup/RUiUY6uEzCyfi0npM4dl0v5JdmA:CT2HbyozCup/RUiUY6uEzCyfiEM4dmvl
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4032 b0d851f3b0ba382c27164948901a0b95546df01e3d629a0e9f8a82afeb7ae947.exe -
Executes dropped EXE 1 IoCs
pid Process 4032 b0d851f3b0ba382c27164948901a0b95546df01e3d629a0e9f8a82afeb7ae947.exe -
Program crash 5 IoCs
pid pid_target Process procid_target 2304 2500 WerFault.exe 82 428 4032 WerFault.exe 89 2316 4032 WerFault.exe 89 804 4032 WerFault.exe 89 3272 4032 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0d851f3b0ba382c27164948901a0b95546df01e3d629a0e9f8a82afeb7ae947.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0d851f3b0ba382c27164948901a0b95546df01e3d629a0e9f8a82afeb7ae947.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2500 b0d851f3b0ba382c27164948901a0b95546df01e3d629a0e9f8a82afeb7ae947.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 4032 b0d851f3b0ba382c27164948901a0b95546df01e3d629a0e9f8a82afeb7ae947.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2500 wrote to memory of 4032 2500 b0d851f3b0ba382c27164948901a0b95546df01e3d629a0e9f8a82afeb7ae947.exe 89 PID 2500 wrote to memory of 4032 2500 b0d851f3b0ba382c27164948901a0b95546df01e3d629a0e9f8a82afeb7ae947.exe 89 PID 2500 wrote to memory of 4032 2500 b0d851f3b0ba382c27164948901a0b95546df01e3d629a0e9f8a82afeb7ae947.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0d851f3b0ba382c27164948901a0b95546df01e3d629a0e9f8a82afeb7ae947.exe"C:\Users\Admin\AppData\Local\Temp\b0d851f3b0ba382c27164948901a0b95546df01e3d629a0e9f8a82afeb7ae947.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 3842⤵
- Program crash
PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\b0d851f3b0ba382c27164948901a0b95546df01e3d629a0e9f8a82afeb7ae947.exeC:\Users\Admin\AppData\Local\Temp\b0d851f3b0ba382c27164948901a0b95546df01e3d629a0e9f8a82afeb7ae947.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:4032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 3523⤵
- Program crash
PID:428
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 7683⤵
- Program crash
PID:2316
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 7883⤵
- Program crash
PID:804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 7723⤵
- Program crash
PID:3272
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2500 -ip 25001⤵PID:3212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4032 -ip 40321⤵PID:2108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4032 -ip 40321⤵PID:2036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4032 -ip 40321⤵PID:2332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4032 -ip 40321⤵PID:1616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\b0d851f3b0ba382c27164948901a0b95546df01e3d629a0e9f8a82afeb7ae947.exe
Filesize448KB
MD5a02aa739d34279daea716747f4a8e9ab
SHA14856e23202533de5b88f3612d63528ae4a8166f0
SHA2567a4e2190bd94288bda86ddb36b4bb3255a4540d745b668ddbe81fc0b23fdede3
SHA512bec8c84705b0a9072152e6e2749a1a6e8b26f9e2aee92600d20d083afbf29e81a01c9e233636ee7680a03fa5a257c7eef0be108ecc6380f6f54e9e36c59455ba