Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 03:43
Behavioral task
behavioral1
Sample
bfbfe960dfeffb9aa7cfec1b128e30b0N.exe
Resource
win7-20240708-en
General
-
Target
bfbfe960dfeffb9aa7cfec1b128e30b0N.exe
-
Size
3.2MB
-
MD5
bfbfe960dfeffb9aa7cfec1b128e30b0
-
SHA1
254398ed17d2284d750063c49335778a3ee77385
-
SHA256
33dcb0b45f9436820dbff1971adb927424d47f5bda4c4501173687845c660571
-
SHA512
b372c54281316a581d709171f2307752b22a516d61473d9bbf549d7de48d142b9abb7a5edd1ea4a97139210aa7f3d5b0c0d7b33970efd6ea699ec74cb04aef73
-
SSDEEP
98304:ghEE1s5+kcakcNGkwhgjtncakcZJ1JQeF6WMBcakcNGkwhgjtncakcO:g/1s9dlNGkwhgjldlZJ1CeL2dlNGkwhz
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2076 bfbfe960dfeffb9aa7cfec1b128e30b0N.exe -
Executes dropped EXE 1 IoCs
pid Process 2076 bfbfe960dfeffb9aa7cfec1b128e30b0N.exe -
resource yara_rule behavioral2/memory/4300-0-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral2/files/0x00080000000235e9-12.dat upx behavioral2/memory/2076-14-0x0000000000400000-0x000000000065C000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 20 pastebin.com -
Program crash 18 IoCs
pid pid_target Process procid_target 4548 2076 WerFault.exe 92 3632 2076 WerFault.exe 92 4288 2076 WerFault.exe 92 1680 2076 WerFault.exe 92 3860 2076 WerFault.exe 92 644 2076 WerFault.exe 92 2944 2076 WerFault.exe 92 5068 2076 WerFault.exe 92 3340 2076 WerFault.exe 92 4436 2076 WerFault.exe 92 1772 2076 WerFault.exe 92 3560 2076 WerFault.exe 92 4820 2076 WerFault.exe 92 644 2076 WerFault.exe 92 4484 2076 WerFault.exe 92 4332 2076 WerFault.exe 92 4408 2076 WerFault.exe 92 3240 2076 WerFault.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfbfe960dfeffb9aa7cfec1b128e30b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfbfe960dfeffb9aa7cfec1b128e30b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4884 schtasks.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4300 bfbfe960dfeffb9aa7cfec1b128e30b0N.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4300 bfbfe960dfeffb9aa7cfec1b128e30b0N.exe 2076 bfbfe960dfeffb9aa7cfec1b128e30b0N.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4300 wrote to memory of 2076 4300 bfbfe960dfeffb9aa7cfec1b128e30b0N.exe 92 PID 4300 wrote to memory of 2076 4300 bfbfe960dfeffb9aa7cfec1b128e30b0N.exe 92 PID 4300 wrote to memory of 2076 4300 bfbfe960dfeffb9aa7cfec1b128e30b0N.exe 92 PID 2076 wrote to memory of 4884 2076 bfbfe960dfeffb9aa7cfec1b128e30b0N.exe 93 PID 2076 wrote to memory of 4884 2076 bfbfe960dfeffb9aa7cfec1b128e30b0N.exe 93 PID 2076 wrote to memory of 4884 2076 bfbfe960dfeffb9aa7cfec1b128e30b0N.exe 93 PID 2076 wrote to memory of 696 2076 bfbfe960dfeffb9aa7cfec1b128e30b0N.exe 95 PID 2076 wrote to memory of 696 2076 bfbfe960dfeffb9aa7cfec1b128e30b0N.exe 95 PID 2076 wrote to memory of 696 2076 bfbfe960dfeffb9aa7cfec1b128e30b0N.exe 95 PID 696 wrote to memory of 532 696 cmd.exe 98 PID 696 wrote to memory of 532 696 cmd.exe 98 PID 696 wrote to memory of 532 696 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfbfe960dfeffb9aa7cfec1b128e30b0N.exe"C:\Users\Admin\AppData\Local\Temp\bfbfe960dfeffb9aa7cfec1b128e30b0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\bfbfe960dfeffb9aa7cfec1b128e30b0N.exeC:\Users\Admin\AppData\Local\Temp\bfbfe960dfeffb9aa7cfec1b128e30b0N.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\bfbfe960dfeffb9aa7cfec1b128e30b0N.exe" /TN PlZ5iuCabcb4 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4884
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks.exe /Query /XML /TN PlZ5iuCabcb4 > C:\Users\Admin\AppData\Local\Temp\PQl8CqQ.xml3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Query /XML /TN PlZ5iuCabcb44⤵
- System Location Discovery: System Language Discovery
PID:532
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 6163⤵
- Program crash
PID:4548
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 6323⤵
- Program crash
PID:3632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 7163⤵
- Program crash
PID:4288
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 6403⤵
- Program crash
PID:1680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 6403⤵
- Program crash
PID:3860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 7803⤵
- Program crash
PID:644
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 14883⤵
- Program crash
PID:2944
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 15363⤵
- Program crash
PID:5068
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 17283⤵
- Program crash
PID:3340
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 13923⤵
- Program crash
PID:4436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 15403⤵
- Program crash
PID:1772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 15763⤵
- Program crash
PID:3560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 15923⤵
- Program crash
PID:4820
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 18443⤵
- Program crash
PID:644
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 18563⤵
- Program crash
PID:4484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 18483⤵
- Program crash
PID:4332
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 15603⤵
- Program crash
PID:4408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 18283⤵
- Program crash
PID:3240
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2076 -ip 20761⤵PID:4744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2076 -ip 20761⤵PID:4400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2076 -ip 20761⤵PID:3048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2076 -ip 20761⤵PID:4024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2076 -ip 20761⤵PID:2948
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2076 -ip 20761⤵PID:4068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2076 -ip 20761⤵PID:4328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2076 -ip 20761⤵PID:3452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2076 -ip 20761⤵PID:4536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2076 -ip 20761⤵PID:2912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2076 -ip 20761⤵PID:4920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3976,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:81⤵PID:3048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2076 -ip 20761⤵PID:4376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2076 -ip 20761⤵PID:1680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2076 -ip 20761⤵PID:2360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2076 -ip 20761⤵PID:4328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2076 -ip 20761⤵PID:3176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2076 -ip 20761⤵PID:2388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2076 -ip 20761⤵PID:1680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e4744517e28283342de0e467dc2ab699
SHA12e469cb3baad53daccdc17dcf040fac2de6af226
SHA256d6077a20423b23f637bcc9b630da67a6abc3302611739c7f1388548e1c60285c
SHA512e8e19b786aacc6b6919eab799ac95795aaa0ed8c2951ae5436b28242a44036e69a5053c7d3712307d35495fe85e54ea20e941713900123061096b7f53e92d7a4
-
Filesize
3.2MB
MD5803fd3aac62f73c81750e1e9f5172fb2
SHA1aeb8751480406f81af1a244d3b3b40a1652f8862
SHA256a838836e20c44ac4fc02c59dc7b5f993c7c9a9fdd8f94e740fbb8f9e4d95cedb
SHA5123f4937b81612c172dc1f59742b92c58eac5d46485c1b682fb033145e402625fbc7bb79dffab7b5de2a52743bde11a60e3304eaf35028445b947bbfa2543b709b