Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2024, 02:05
Static task
static1
Behavioral task
behavioral1
Sample
eaeb5c2f0677f894599fa646ff16cec0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
eaeb5c2f0677f894599fa646ff16cec0N.exe
Resource
win10v2004-20240802-en
General
-
Target
eaeb5c2f0677f894599fa646ff16cec0N.exe
-
Size
274KB
-
MD5
eaeb5c2f0677f894599fa646ff16cec0
-
SHA1
f77790fbf4802887f18c0f59f36a509427e84d3c
-
SHA256
e093dacb75be02aee0a16734ea51516745b7ad3d763a883fc7cd7ea7b628e6c2
-
SHA512
75b6ada4ef3010fd966242bea26cdaca2cf2045b79a98105dbd89e32ce23872c0f099d59f388b6b676ea145b2904f50a5dcd96e4024f31cb89527cf0433abf4c
-
SSDEEP
6144:TzevND5hKqfWE4d1FzdlqpZtypIprdqYJslu0xfsLP:feDhXWld1Irvr4Xluufm
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3760 eaeb5c2f0677f894599fa646ff16cec0N.exe -
Executes dropped EXE 1 IoCs
pid Process 3760 eaeb5c2f0677f894599fa646ff16cec0N.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 5116 4520 WerFault.exe 90 2260 3760 WerFault.exe 98 3536 3760 WerFault.exe 98 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eaeb5c2f0677f894599fa646ff16cec0N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4520 eaeb5c2f0677f894599fa646ff16cec0N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4520 wrote to memory of 3760 4520 eaeb5c2f0677f894599fa646ff16cec0N.exe 98 PID 4520 wrote to memory of 3760 4520 eaeb5c2f0677f894599fa646ff16cec0N.exe 98 PID 4520 wrote to memory of 3760 4520 eaeb5c2f0677f894599fa646ff16cec0N.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\eaeb5c2f0677f894599fa646ff16cec0N.exe"C:\Users\Admin\AppData\Local\Temp\eaeb5c2f0677f894599fa646ff16cec0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 4042⤵
- Program crash
PID:5116
-
-
C:\Users\Admin\AppData\Local\Temp\eaeb5c2f0677f894599fa646ff16cec0N.exeC:\Users\Admin\AppData\Local\Temp\eaeb5c2f0677f894599fa646ff16cec0N.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 3683⤵
- Program crash
PID:2260
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 1643⤵
- Program crash
PID:3536
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4520 -ip 45201⤵PID:2296
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3760 -ip 37601⤵PID:4812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3760 -ip 37601⤵PID:4816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4152,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:81⤵PID:3220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274KB
MD545bc01b61839c4234775290b93583839
SHA1ca0c459ff2866afe4014aedeb17ffe7cd1028dec
SHA256645d4e0e03e5a7601b6f0989851ed2da59d4681d09f70b39794c92926e2d6fa3
SHA512bcd0868d16971899690d83487a91f87c7dec22aace7672ae1cd78f7d42786907c875cd72807081559d6b491ee956426f45476c688d846dad684151866a201f04