Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
104s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
26/08/2024, 07:50
General
-
Target
91781f31eb91b3e2dfb4be773b565f90N.exe
-
Size
2.2MB
-
MD5
91781f31eb91b3e2dfb4be773b565f90
-
SHA1
8b7b44922b905ac32d228fed8d2581321a8ede87
-
SHA256
323d24da8aa4da3b38025eb86fc871b8b48779dfc5c22b590feef3680c7da007
-
SHA512
8b09580e44fad7d75f0591a3c5d8861328bb456808996d17dd526f2d3e1e76ff513fea9e40f0a803930118d0b1e436dfbc047b0ff824bf9118ca80a32d63b564
-
SSDEEP
49152:AcQbYD/jGLnJcN+9zWFULG+aLP6hN5aC67sv/nj0cN+9zWFULG+aLP6hX:AcQbYD/KLnqA9zyULG+aLP25ah7k/jp6
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Program crash 19 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\91781f31eb91b3e2dfb4be773b565f90N.exe"C:\Users\Admin\AppData\Local\Temp\91781f31eb91b3e2dfb4be773b565f90N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\91781f31eb91b3e2dfb4be773b565f90N.exeC:\Users\Admin\AppData\Local\Temp\91781f31eb91b3e2dfb4be773b565f90N.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\91781f31eb91b3e2dfb4be773b565f90N.exe" /TN n3TzfEYb35ee /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks.exe /Query /XML /TN n3TzfEYb35ee > C:\Users\Admin\AppData\Local\Temp\baKEkz.xml3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Query /XML /TN n3TzfEYb35ee4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 6043⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 6283⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 7243⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 7283⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 7283⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 7563⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 14723⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 15563⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 17443⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 17083⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 15763⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 15523⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 17523⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 16003⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 17283⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 18243⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 18683⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 18203⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 16163⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2436 -ip 24361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2436 -ip 24361⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5ff87ae862bd9bbf5233f1cee992937c4
SHA10aaa78b887a63fd68bfd49aabb22e0060eddf70b
SHA256ec9051a1395b6dc4f2f6e9393bf92f071317e650346d3b002995e0d04262008e
SHA512cd8065cb1439a38f845e3ef3ed39e670e1b4537719429ff5d61f8ed87e8d3196c8c3e2638935c76d06c51339a8581074b85a90686ece3f16d8b5c2a07bba19f9
-
Filesize
1KB
MD5dbb7c2288be8751aa8af3c6a4144d2c3
SHA15539a5fd632ec4a25d0f942ac1e1a02b454b8692
SHA25633202b9fc11baa526cd2cd01f728c23ef6d7db9a1f437ffb8d608d76965cec2a
SHA5122ea1b8f948a4ab2aaa4757527533b62177f7fdeb1a916a711439c98463dbc92e06beb77f82d79d92b0865d28e9e1277fa4df8a2a8d9d823f6c16435159202faf
-
Filesize
2.4MB
-
Filesize
428KB
-
Filesize
504KB
-
Filesize
428KB
-
Filesize
2.4MB
-
Filesize
504KB
-
Filesize
428KB
-
Filesize
364KB
-
Filesize
2.4MB