Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/08/2024, 14:40
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
MalwareBazaar.exe
Resource
win10v2004-20240802-en
Errors
General
-
Target
MalwareBazaar.exe
-
Size
1.2MB
-
MD5
5f9a0cb83894c70bc24e0f9254fb8c47
-
SHA1
4a72402a2de6f13d3bc7aea07efe0fb0942ed740
-
SHA256
b79a12b0fc47bdaa7e1da3863e004d5e4a9acfcbb251ee60248564ceeb451b8d
-
SHA512
8f9e3557d4fcc2471d234fc7b1495993706edb24a38f9067239afe05371d170754e121e2ce8eadd1a949ad0d86f639a2f3bf7b386e3633d2e5bf4a6d1e466c03
-
SSDEEP
24576:hqDEvCTbMWu7rQYlBQcBiT6rprG8aNiSSHyA1jXh:hTvC/MTQYxsWR7aNiSSFpX
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2020 set thread context of 2028 2020 MalwareBazaar.exe 86 -
Program crash 1 IoCs
pid pid_target Process procid_target 5056 2028 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MalwareBazaar.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2020 MalwareBazaar.exe 2020 MalwareBazaar.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2020 MalwareBazaar.exe 2020 MalwareBazaar.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2020 MalwareBazaar.exe 2020 MalwareBazaar.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2028 2020 MalwareBazaar.exe 86 PID 2020 wrote to memory of 2028 2020 MalwareBazaar.exe 86 PID 2020 wrote to memory of 2028 2020 MalwareBazaar.exe 86 PID 2020 wrote to memory of 2028 2020 MalwareBazaar.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"2⤵PID:2028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1923⤵
- Program crash
PID:5056
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2028 -ip 20281⤵PID:4728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD569d66bc768f1c50e4ea1cf68a0d92602
SHA1b2a549ef3d452d85af705764760903224a5d5522
SHA256539bf6030060fb375c51f71c206921d1511d6c138b7286ce84abfa63aca9c2a4
SHA512ab1df0052568119868b60407d8a5741008c26309871911d06f58d50959d7ac44c7c8064b94c7952807b7b9cf15051840a6898cdcd0bdef628bbc97c38df49373