Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 17:00
Static task
static1
Behavioral task
behavioral1
Sample
3848e4539cfa567955ee4cffd6ad22e250afb44728a86550d264dd197ffac402.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
3848e4539cfa567955ee4cffd6ad22e250afb44728a86550d264dd197ffac402.exe
Resource
win10v2004-20240802-en
General
-
Target
3848e4539cfa567955ee4cffd6ad22e250afb44728a86550d264dd197ffac402.exe
-
Size
1.2MB
-
MD5
56dbc4367833434be158a1a0cebbd1a9
-
SHA1
9097801ea095f4b4afc15497d9370d3c8a5c913b
-
SHA256
3848e4539cfa567955ee4cffd6ad22e250afb44728a86550d264dd197ffac402
-
SHA512
c216c2ed433994fd1a7759a90dd3464d266014dd5efdc2da30f267ced8d393c17c9f93f425c27a4b76655a1abb34393f0b4fd9d7c8d4efca527c28ce99623a75
-
SSDEEP
24576:RqDEvCTbMWu7rQYlBQcBiT6rprG8aBsjPz4CXMD:RTvC/MTQYxsWR7aBsjP
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2084 4424 WerFault.exe 80 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3848e4539cfa567955ee4cffd6ad22e250afb44728a86550d264dd197ffac402.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4424 3848e4539cfa567955ee4cffd6ad22e250afb44728a86550d264dd197ffac402.exe 4424 3848e4539cfa567955ee4cffd6ad22e250afb44728a86550d264dd197ffac402.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4424 3848e4539cfa567955ee4cffd6ad22e250afb44728a86550d264dd197ffac402.exe 4424 3848e4539cfa567955ee4cffd6ad22e250afb44728a86550d264dd197ffac402.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 4424 3848e4539cfa567955ee4cffd6ad22e250afb44728a86550d264dd197ffac402.exe 4424 3848e4539cfa567955ee4cffd6ad22e250afb44728a86550d264dd197ffac402.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4424 wrote to memory of 2300 4424 3848e4539cfa567955ee4cffd6ad22e250afb44728a86550d264dd197ffac402.exe 84 PID 4424 wrote to memory of 2300 4424 3848e4539cfa567955ee4cffd6ad22e250afb44728a86550d264dd197ffac402.exe 84 PID 4424 wrote to memory of 2300 4424 3848e4539cfa567955ee4cffd6ad22e250afb44728a86550d264dd197ffac402.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\3848e4539cfa567955ee4cffd6ad22e250afb44728a86550d264dd197ffac402.exe"C:\Users\Admin\AppData\Local\Temp\3848e4539cfa567955ee4cffd6ad22e250afb44728a86550d264dd197ffac402.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\3848e4539cfa567955ee4cffd6ad22e250afb44728a86550d264dd197ffac402.exe"2⤵PID:2300
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 7362⤵
- Program crash
PID:2084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4424 -ip 44241⤵PID:1484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD5b6d48637d1736c2f8f616a9c6f7551a5
SHA10808f51721d3421dd2e82d6c6f493635faf65499
SHA2569ac40f84820e94850d21aa67c374c765a6a0958f9d6397b2b0beef59aedeb6be
SHA512d43d19b23bdcc3cffe7e4837c3b82ec3da2900356ac0339e1bb1002be77e62429e120da6b1f4f110feca1da863d6124ffd4d62675c316d09fabc8f4353ac0e86