Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
30343f7d982...0N.exe
windows7-x64
100343f7d982...0N.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3NBProjects...in.exe
windows7-x64
7NBProjects...in.exe
windows10-2004-x64
7Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26/08/2024, 16:02
Static task
static1
Behavioral task
behavioral1
Sample
0343f7d9824f51e45c9cc6ffbe4a1c20N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
0343f7d9824f51e45c9cc6ffbe4a1c20N.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
NBProjects/ParticleFirmware/nbproject/private/uninstall-particle-toolchain.exe
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
NBProjects/ParticleFirmware/nbproject/private/uninstall-particle-toolchain.exe
Resource
win10v2004-20240802-en
General
-
Target
0343f7d9824f51e45c9cc6ffbe4a1c20N.exe
-
Size
212KB
-
MD5
0343f7d9824f51e45c9cc6ffbe4a1c20
-
SHA1
81ea1a3648e3b9d4903398502cc5ac8fbd0a843a
-
SHA256
915e637e9e56872ab8f1318ea2aa2434c5161cd6bf289076ebecac66db6bd25b
-
SHA512
83c21afce52224b8b70be568e7bc6d90a4539984c627979bf7a1d172396e054496dd981ac95b0e8b0332467e9214188929974ec49fd5068f2f3b91e9f5e6b2e3
-
SSDEEP
3072:jLk395hYXJLM/6tdrHF3AHEAHVxd/Y/6fV4xRrB9sTQt4Ge9tBBTWw0vlT4H7n+B:jQqqWQkAHJX4XYkY9Pow0vlT4+B
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 4572 0343f7d9824f51e45c9cc6ffbe4a1c20N.exe 4572 0343f7d9824f51e45c9cc6ffbe4a1c20N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2172 4572 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0343f7d9824f51e45c9cc6ffbe4a1c20N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4572 wrote to memory of 4384 4572 0343f7d9824f51e45c9cc6ffbe4a1c20N.exe 87 PID 4572 wrote to memory of 4384 4572 0343f7d9824f51e45c9cc6ffbe4a1c20N.exe 87 PID 4572 wrote to memory of 4384 4572 0343f7d9824f51e45c9cc6ffbe4a1c20N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\0343f7d9824f51e45c9cc6ffbe4a1c20N.exe"C:\Users\Admin\AppData\Local\Temp\0343f7d9824f51e45c9cc6ffbe4a1c20N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\0343f7d9824f51e45c9cc6ffbe4a1c20N.exe"C:\Users\Admin\AppData\Local\Temp\0343f7d9824f51e45c9cc6ffbe4a1c20N.exe"2⤵PID:4384
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 8522⤵
- Program crash
PID:2172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4572 -ip 45721⤵PID:2976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f