Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 07:01
Static task
static1
Behavioral task
behavioral1
Sample
807ad2661b45960e1d9dedd6fcb816e0N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
807ad2661b45960e1d9dedd6fcb816e0N.exe
Resource
win10v2004-20240802-en
General
-
Target
807ad2661b45960e1d9dedd6fcb816e0N.exe
-
Size
1.2MB
-
MD5
807ad2661b45960e1d9dedd6fcb816e0
-
SHA1
974c6fcdc14d3b0d7f8b883700958e8795e29564
-
SHA256
7e25ae929cbe78c28594fd7c220b424c9eed31996c4b0c123b6399c449a80cc2
-
SHA512
180d8c58625a75db80ad620ab3ac14b897b8ebad342cd9de788e74729e0bb34fdb90a25698aa9c6b6d972cf970152e61b46aa63533d4e05fccdead077f04dd31
-
SSDEEP
12288:4m2IW5PXw9N94+uWD1qBbKR0dk08/jVDa/ZSC+gRHnhvMCtjW:4Vgz4+uWD840dk9a/ZSC+gVueC
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2916 807ad2661b45960e1d9dedd6fcb816e0N.exe -
Executes dropped EXE 1 IoCs
pid Process 2916 807ad2661b45960e1d9dedd6fcb816e0N.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 3896 4536 WerFault.exe 83 3456 2916 WerFault.exe 91 2456 2916 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 807ad2661b45960e1d9dedd6fcb816e0N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4536 807ad2661b45960e1d9dedd6fcb816e0N.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2916 807ad2661b45960e1d9dedd6fcb816e0N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4536 wrote to memory of 2916 4536 807ad2661b45960e1d9dedd6fcb816e0N.exe 91 PID 4536 wrote to memory of 2916 4536 807ad2661b45960e1d9dedd6fcb816e0N.exe 91 PID 4536 wrote to memory of 2916 4536 807ad2661b45960e1d9dedd6fcb816e0N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\807ad2661b45960e1d9dedd6fcb816e0N.exe"C:\Users\Admin\AppData\Local\Temp\807ad2661b45960e1d9dedd6fcb816e0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 3442⤵
- Program crash
PID:3896
-
-
C:\Users\Admin\AppData\Local\Temp\807ad2661b45960e1d9dedd6fcb816e0N.exeC:\Users\Admin\AppData\Local\Temp\807ad2661b45960e1d9dedd6fcb816e0N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 3443⤵
- Program crash
PID:3456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 3843⤵
- Program crash
PID:2456
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4536 -ip 45361⤵PID:708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2916 -ip 29161⤵PID:1744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2916 -ip 29161⤵PID:4144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5feb3eb90d3f767eb5fc1ba3b149b5b98
SHA1be8f0c8344cc1d2095d07b72ca3821cd9a67d1a1
SHA25645c630223d391962c56982265fe1757b9206e59c9f8265e06d3b96c8675afb58
SHA5128cce74230215a3bce052d9f22ca18f0cefcaa11323b9a7d5b58cbda7d9c59cf046c35aad8d488b20e6e3aa73a866f6f8b32d2de0c92a19e633dd7f672bd21b65