Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    125s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/08/2024, 13:00

General

  • Target

    PI24000032.exe

  • Size

    1.2MB

  • MD5

    4ea21bce2e927e066bd726b8d38a2adc

  • SHA1

    a4d7a0820e72d4cdd3e0d882593c69983ad6e043

  • SHA256

    9c2a88e6231afc32955d617333a563b8961175a3ea9f01a97140aa6707ef7272

  • SHA512

    4c3016090b9f917c929b4c08f62cbb923eec32ae06f6ba42a4323f98c8dfedbf38e675c1787d752ad0f03cde72e01c47d15000200a08dc34d7729403bac5b1ac

  • SSDEEP

    24576:5qDEvCTbMWu7rQYlBQcBiT6rprG8av0NzEdqf3LyFPQ7leIJ:5TvC/MTQYxsWR7av0NwQf3L6Y7le

Score
5/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PI24000032.exe
    "C:\Users\Admin\AppData\Local\Temp\PI24000032.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\PI24000032.exe"
      2⤵
        PID:4044
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 192
          3⤵
          • Program crash
          PID:3800
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4044 -ip 4044
      1⤵
        PID:312
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=3988 /prefetch:8
        1⤵
          PID:944

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\aut5520.tmp

          Filesize

          280KB

          MD5

          3e87a8823c6f4231f6cfc1fdc08dae11

          SHA1

          9773a563be5d99db6d9ebee374b70aaea13691b8

          SHA256

          44096e8052b7c31a31f65ef79bcdcdc4a446f969b38e56f2cc2505993ab133cf

          SHA512

          bf5a4d88a5dfffb6f5c4bca70c6b01133281824edf745f9d4ceedf7cdba7e8a0387ff852a2e03e4bda35f8164d0be789b7a47734932e3e03d9251239d8ea07c6

        • memory/1092-13-0x0000000002730000-0x0000000002734000-memory.dmp

          Filesize

          16KB

        • memory/4044-14-0x0000000000520000-0x0000000000566000-memory.dmp

          Filesize

          280KB