Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
102s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2024, 19:15
Static task
static1
Behavioral task
behavioral1
Sample
fb0014ea34f774208605e28bee4023b0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
fb0014ea34f774208605e28bee4023b0N.exe
Resource
win10v2004-20240802-en
General
-
Target
fb0014ea34f774208605e28bee4023b0N.exe
-
Size
1004KB
-
MD5
fb0014ea34f774208605e28bee4023b0
-
SHA1
40981c0ea15f9e2f7a07cbd8bdefca89947c44eb
-
SHA256
99fbf5280aa301ee6a41acb4f88a14266186cc7deeb8806e1a44c756da197dd1
-
SHA512
63e9cc441acf7895e5a3f7d3ee1ccc53892bebb085b27262770c75c5a436b41bd92a57069c3fbee00761048b032ab3b5317ce90f4a5af85062c84fd3af59e11e
-
SSDEEP
24576:34OLYmyM7cb5kWyMJ9C1Xda/ZSCBHn677:fLYmy2cb5k5MJ8XdgVBHn6
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1308 fb0014ea34f774208605e28bee4023b0N.exe -
Executes dropped EXE 1 IoCs
pid Process 1308 fb0014ea34f774208605e28bee4023b0N.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 18 pastebin.com 17 pastebin.com -
Program crash 15 IoCs
pid pid_target Process procid_target 3212 4120 WerFault.exe 83 4700 1308 WerFault.exe 91 1848 1308 WerFault.exe 91 3728 1308 WerFault.exe 91 1708 1308 WerFault.exe 91 4620 1308 WerFault.exe 91 2084 1308 WerFault.exe 91 3172 1308 WerFault.exe 91 4824 1308 WerFault.exe 91 4128 1308 WerFault.exe 91 3616 1308 WerFault.exe 91 3748 1308 WerFault.exe 91 3628 1308 WerFault.exe 91 3000 1308 WerFault.exe 91 2816 1308 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb0014ea34f774208605e28bee4023b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb0014ea34f774208605e28bee4023b0N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1308 fb0014ea34f774208605e28bee4023b0N.exe 1308 fb0014ea34f774208605e28bee4023b0N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4120 fb0014ea34f774208605e28bee4023b0N.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1308 fb0014ea34f774208605e28bee4023b0N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4120 wrote to memory of 1308 4120 fb0014ea34f774208605e28bee4023b0N.exe 91 PID 4120 wrote to memory of 1308 4120 fb0014ea34f774208605e28bee4023b0N.exe 91 PID 4120 wrote to memory of 1308 4120 fb0014ea34f774208605e28bee4023b0N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb0014ea34f774208605e28bee4023b0N.exe"C:\Users\Admin\AppData\Local\Temp\fb0014ea34f774208605e28bee4023b0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 3522⤵
- Program crash
PID:3212
-
-
C:\Users\Admin\AppData\Local\Temp\fb0014ea34f774208605e28bee4023b0N.exeC:\Users\Admin\AppData\Local\Temp\fb0014ea34f774208605e28bee4023b0N.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1308 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 3443⤵
- Program crash
PID:4700
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 6683⤵
- Program crash
PID:1848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 6883⤵
- Program crash
PID:3728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 7123⤵
- Program crash
PID:1708
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 3763⤵
- Program crash
PID:4620
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 9083⤵
- Program crash
PID:2084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 14083⤵
- Program crash
PID:3172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 14843⤵
- Program crash
PID:4824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 15003⤵
- Program crash
PID:4128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 14883⤵
- Program crash
PID:3616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 15163⤵
- Program crash
PID:3748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 14683⤵
- Program crash
PID:3628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 15003⤵
- Program crash
PID:3000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 16803⤵
- Program crash
PID:2816
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4120 -ip 41201⤵PID:872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1308 -ip 13081⤵PID:4444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1308 -ip 13081⤵PID:1992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1308 -ip 13081⤵PID:1976
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1308 -ip 13081⤵PID:3288
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1308 -ip 13081⤵PID:2344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1308 -ip 13081⤵PID:4956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1308 -ip 13081⤵PID:440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1308 -ip 13081⤵PID:2236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1308 -ip 13081⤵PID:4704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1308 -ip 13081⤵PID:344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1308 -ip 13081⤵PID:2396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1308 -ip 13081⤵PID:1268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1308 -ip 13081⤵PID:1568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1308 -ip 13081⤵PID:1856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1004KB
MD5aea55ce961bafd129b83d832a07bdd64
SHA1e2aa8c4198665a1ffd5433dec7916b74870a20d5
SHA2561f1753f07a8f41d01a24b7f6fac145f74ac328d38ab37bc585baab3e6ea959c2
SHA51278e48b4cadb076a69d9153f754477390d6fa8b5d93c591a61f4729cb85831efe24f47eed0fdb3ec4ecc3139c3a1af9b02ee15a67802a905a1f3f0140fa62a6b9