Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2024, 20:51
Static task
static1
Behavioral task
behavioral1
Sample
9e1787fefde22c946238d1e5c4359cd0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
9e1787fefde22c946238d1e5c4359cd0N.exe
Resource
win10v2004-20240802-en
General
-
Target
9e1787fefde22c946238d1e5c4359cd0N.exe
-
Size
904KB
-
MD5
9e1787fefde22c946238d1e5c4359cd0
-
SHA1
f1439fc4417b444873a2bc0a4e091734a644dbad
-
SHA256
87a3f4cb7819deedc56bc77d565b918e7da3cd140757e923affe587dc1e6c677
-
SHA512
9a5350f3c3b2055d8103f309866438e238bc678c90da56b7948696ee96eedb670c2e80b36de1266d1bbb9d3d499c55ab6142d09f41996c4fcd79d53dd844214a
-
SSDEEP
24576:F5s1ovDARFme86bBBBsSdBL5vfkavAd1z5yg66iLsn+vm5Oe/MzVAPuO4DFHgby1:F5s1ovDARFme8iBBBsSdBL5vfkavAd1U
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 232 9e1787fefde22c946238d1e5c4359cd0N.exe -
Executes dropped EXE 1 IoCs
pid Process 232 9e1787fefde22c946238d1e5c4359cd0N.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 4492 3444 WerFault.exe 83 3208 232 WerFault.exe 91 1664 232 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9e1787fefde22c946238d1e5c4359cd0N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3444 9e1787fefde22c946238d1e5c4359cd0N.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 232 9e1787fefde22c946238d1e5c4359cd0N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3444 wrote to memory of 232 3444 9e1787fefde22c946238d1e5c4359cd0N.exe 91 PID 3444 wrote to memory of 232 3444 9e1787fefde22c946238d1e5c4359cd0N.exe 91 PID 3444 wrote to memory of 232 3444 9e1787fefde22c946238d1e5c4359cd0N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e1787fefde22c946238d1e5c4359cd0N.exe"C:\Users\Admin\AppData\Local\Temp\9e1787fefde22c946238d1e5c4359cd0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 3442⤵
- Program crash
PID:4492
-
-
C:\Users\Admin\AppData\Local\Temp\9e1787fefde22c946238d1e5c4359cd0N.exeC:\Users\Admin\AppData\Local\Temp\9e1787fefde22c946238d1e5c4359cd0N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:232 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 3443⤵
- Program crash
PID:3208
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 3683⤵
- Program crash
PID:1664
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3444 -ip 34441⤵PID:688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 232 -ip 2321⤵PID:4604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 232 -ip 2321⤵PID:560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
904KB
MD59058c043ee729379926666ff1eb8c31f
SHA1a40ac960681ce24addbd99c18e9ffd117573fae0
SHA256b94bb24fb0aba3a9cf0376875a672e1593127829851fb7cbfdc2fc79e2e94a23
SHA512fe7c30b1962bd53cabd3fff3f9867703ce296e7651dafe2f151fe60ff2429b31852e77f35e73305a7d605b39967df3e324b12161e33cb187af27dcc075ab82b9