Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 04:34
Static task
static1
Behavioral task
behavioral1
Sample
e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe
Resource
win10v2004-20240802-en
General
-
Target
e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe
-
Size
640KB
-
MD5
e2cbbbeac3e3fbf04444d57b8c8a8c10
-
SHA1
9f38030473cbf752842af9b06bef3c2b8a3d01ac
-
SHA256
c06b01cfd3f0434e5f28cc85c2cc6892e1a5902018342bba1c87110dd4887997
-
SHA512
dfd8e0bd1b7c74dd295c67f08f4e2fc62d929d7d37cf3c7ea063e57f9211a2f8e5984cb64e91d010ddbcd980d67130d7df71ceda044016bb88bf1ada4b51d02b
-
SSDEEP
12288:5NzTInlbDeWhVQ5zCD4TyWN9VysX7ryTk2osi9:5NzTIlXeWhVQ5zY4xN9VyUUkV19
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 328 e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe -
Executes dropped EXE 1 IoCs
pid Process 328 e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 864 3248 WerFault.exe 83 404 328 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3248 e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 328 e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3248 wrote to memory of 328 3248 e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe 91 PID 3248 wrote to memory of 328 3248 e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe 91 PID 3248 wrote to memory of 328 3248 e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe"C:\Users\Admin\AppData\Local\Temp\e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 3962⤵
- Program crash
PID:864
-
-
C:\Users\Admin\AppData\Local\Temp\e2cbbbeac3e3fbf04444d57b8c8a8c10N.exeC:\Users\Admin\AppData\Local\Temp\e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:328 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 3643⤵
- Program crash
PID:404
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3248 -ip 32481⤵PID:632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 328 -ip 3281⤵PID:2952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
640KB
MD511c48c45f98876b017f791c636fa4487
SHA1933850412485b7ff88d4b8db849f17edf1d55d6b
SHA25665580ed8006354c9dcab6d0b9880a98f87bbf92abd9e4ed4619ff588d1596259
SHA5126a6d300421c0e789876510a9575e24a6f84facdf0ab63c136c93c61fce568fb081fc8205aad92f57e1d25a2c4de4199054323545fd1fc614caf193af4e9f8dac