Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
84s -
max time network
85s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/09/2024, 07:05
Static task
static1
Behavioral task
behavioral1
Sample
c7d3fae26ae7c53f78f285b1b2695e60N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c7d3fae26ae7c53f78f285b1b2695e60N.exe
Resource
win10v2004-20240802-en
General
-
Target
c7d3fae26ae7c53f78f285b1b2695e60N.exe
-
Size
7.5MB
-
MD5
c7d3fae26ae7c53f78f285b1b2695e60
-
SHA1
a25a044cfe217629690f39d192a97fec94ae347a
-
SHA256
c359491dff64ae8fa7a05345834b1f168021de68c7ab582066281f37424fda63
-
SHA512
80ff7ee43da2d9809ca34916039283cc4cca711c646f26ba5ef3b263b18b2d6e25df2148a254c4580277936e3cb86db6b874878edf1cb5b72c5b97867028ca85
-
SSDEEP
768:LyNovA586VA/H/pAcbVugAFBbadjHO+yav9Hps61Ja:L7t5ZbVug2Fada+y0BpbDa
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3740 ICWCONN1.EXE -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRAM FILES\ONLINE SERVICES\ICWCONN1.EXE c7d3fae26ae7c53f78f285b1b2695e60N.exe File opened for modification C:\PROGRAM FILES\ONLINE SERVICES\ICWCONN1.EXE c7d3fae26ae7c53f78f285b1b2695e60N.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4204 3740 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7d3fae26ae7c53f78f285b1b2695e60N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICWCONN1.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4556 wrote to memory of 3740 4556 c7d3fae26ae7c53f78f285b1b2695e60N.exe 85 PID 4556 wrote to memory of 3740 4556 c7d3fae26ae7c53f78f285b1b2695e60N.exe 85 PID 4556 wrote to memory of 3740 4556 c7d3fae26ae7c53f78f285b1b2695e60N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7d3fae26ae7c53f78f285b1b2695e60N.exe"C:\Users\Admin\AppData\Local\Temp\c7d3fae26ae7c53f78f285b1b2695e60N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\PROGRAM FILES\ONLINE SERVICES\ICWCONN1.EXE"C:\PROGRAM FILES\ONLINE SERVICES\ICWCONN1.EXE" C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\C7D3FAE26AE7C53F78F285B1B2695E60N.EXE2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3740 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 4163⤵
- Program crash
PID:4204
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3740 -ip 37401⤵PID:4172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15.0MB
MD506353afd9545a4cafbe2f1de890a36a8
SHA1f0d4b570852db994ac2617c32c174ab74dfcef89
SHA2566b6c0eeba7fa76f7f054523c85b0921117e2e6088f6525e0d5cbc9c9d97e0352
SHA512dd33d3b0bdfe94b9f509f5f1c295029aaa0e91d3589675ef3cb28a730a79a2483e325cb05994d421d55711519ba0e6ac407a60aadc6465c5130082c85af5fd1d