Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

fb0014ea34...0N.exe

windows7-x64

7

fb0014ea34...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    102s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/08/2024, 19:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb0014ea34f774208605e28bee4023b0N.exe

  • Size

    1004KB

  • MD5

    fb0014ea34f774208605e28bee4023b0

  • SHA1

    40981c0ea15f9e2f7a07cbd8bdefca89947c44eb

  • SHA256

    99fbf5280aa301ee6a41acb4f88a14266186cc7deeb8806e1a44c756da197dd1

  • SHA512

    63e9cc441acf7895e5a3f7d3ee1ccc53892bebb085b27262770c75c5a436b41bd92a57069c3fbee00761048b032ab3b5317ce90f4a5af85062c84fd3af59e11e

  • SSDEEP

    24576:34OLYmyM7cb5kWyMJ9C1Xda/ZSCBHn677:fLYmy2cb5k5MJ8XdgVBHn6

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Program crash 15 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb0014ea34f774208605e28bee4023b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\fb0014ea34f774208605e28bee4023b0N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4120
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 352
      2⤵
      • Program crash
      PID:3212
    • C:\Users\Admin\AppData\Local\Temp\fb0014ea34f774208605e28bee4023b0N.exe
      C:\Users\Admin\AppData\Local\Temp\fb0014ea34f774208605e28bee4023b0N.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:1308
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 344
        3⤵
        • Program crash
        PID:4700
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 668
        3⤵
        • Program crash
        PID:1848
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 688
        3⤵
        • Program crash
        PID:3728
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 712
        3⤵
        • Program crash
        PID:1708
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 376
        3⤵
        • Program crash
        PID:4620
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 908
        3⤵
        • Program crash
        PID:2084
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1408
        3⤵
        • Program crash
        PID:3172
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1484
        3⤵
        • Program crash
        PID:4824
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1500
        3⤵
        • Program crash
        PID:4128
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1488
        3⤵
        • Program crash
        PID:3616
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1516
        3⤵
        • Program crash
        PID:3748
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1468
        3⤵
        • Program crash
        PID:3628
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1500
        3⤵
        • Program crash
        PID:3000
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1680
        3⤵
        • Program crash
        PID:2816
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4120 -ip 4120
    1⤵
      PID:872
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1308 -ip 1308
      1⤵
        PID:4444
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1308 -ip 1308
        1⤵
          PID:1992
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1308 -ip 1308
          1⤵
            PID:1976
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1308 -ip 1308
            1⤵
              PID:3288
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1308 -ip 1308
              1⤵
                PID:2344
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1308 -ip 1308
                1⤵
                  PID:4956
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1308 -ip 1308
                  1⤵
                    PID:440
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1308 -ip 1308
                    1⤵
                      PID:2236
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1308 -ip 1308
                      1⤵
                        PID:4704
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1308 -ip 1308
                        1⤵
                          PID:344
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1308 -ip 1308
                          1⤵
                            PID:2396
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1308 -ip 1308
                            1⤵
                              PID:1268
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1308 -ip 1308
                              1⤵
                                PID:1568
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1308 -ip 1308
                                1⤵
                                  PID:1856

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Temp\fb0014ea34f774208605e28bee4023b0N.exe
                                  Filesize

                                  1004KB

                                  MD5

                                  aea55ce961bafd129b83d832a07bdd64

                                  SHA1

                                  e2aa8c4198665a1ffd5433dec7916b74870a20d5

                                  SHA256

                                  1f1753f07a8f41d01a24b7f6fac145f74ac328d38ab37bc585baab3e6ea959c2

                                  SHA512

                                  78e48b4cadb076a69d9153f754477390d6fa8b5d93c591a61f4729cb85831efe24f47eed0fdb3ec4ecc3139c3a1af9b02ee15a67802a905a1f3f0140fa62a6b9

                                  Download Submit

                                • memory/1308-7-0x0000000000400000-0x00000000004EF000-memory.dmp

                                  Filesize

                                  956KB

                                  Download

                                • memory/1308-8-0x00000000050F0000-0x00000000051DF000-memory.dmp

                                  Filesize

                                  956KB

                                  Download

                                • memory/1308-9-0x0000000000400000-0x00000000004A3000-memory.dmp

                                  Filesize

                                  652KB

                                  Download

                                • memory/1308-27-0x000000000B800000-0x000000000B8A3000-memory.dmp

                                  Filesize

                                  652KB

                                  Download

                                • memory/1308-21-0x0000000000400000-0x0000000000443000-memory.dmp

                                  Filesize

                                  268KB

                                  Download

                                • memory/1308-28-0x0000000000400000-0x00000000004EF000-memory.dmp

                                  Filesize

                                  956KB

                                  Download

                                • memory/4120-0-0x0000000000400000-0x00000000004EF000-memory.dmp

                                  Filesize

                                  956KB

                                  Download

                                • memory/4120-6-0x0000000000400000-0x00000000004EF000-memory.dmp

                                  Filesize

                                  956KB

                                  Download