Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    97s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/09/2024, 20:20

General

  • Target

    855c2109b17c86741a2efbb08a3ffa30N.exe

  • Size

    349KB

  • MD5

    855c2109b17c86741a2efbb08a3ffa30

  • SHA1

    6519929da8262243725819873356ed3f22434f5b

  • SHA256

    6052c88fc0e8c7e0f576331f0fd54fe022bf7ddf623bcfd08f6724f68b5b568e

  • SHA512

    45c6467f92052c0227b7e0f81987624212f0acf59185f4282e8f6a1b6d36a7924fef96dab0d869f1f9e440a9348bf528e9a53a7752972100d34460856bf0e774

  • SSDEEP

    6144:zVTQqSiexKAK4y6UvcZSeNH49qQQOH+ym4LLIoTqHSMaxzL:lSiOK4yjNQOGzoTCSMG

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\855c2109b17c86741a2efbb08a3ffa30N.exe
    "C:\Users\Admin\AppData\Local\Temp\855c2109b17c86741a2efbb08a3ffa30N.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4260
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3612
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 828
        3⤵
        • Program crash
        PID:3340
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3612 -ip 3612
    1⤵
      PID:2476

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\apppatch\svchost.exe

      Filesize

      349KB

      MD5

      8098658aeafe98207119fa74e8795c36

      SHA1

      5d31829c1b5d588eefb04514f5a7477442c72b94

      SHA256

      fd87363cffe89ce0ff1eb556396f89b4a4afa92ed85630a7d9af3e336434de8b

      SHA512

      d50304c111f8889d26e0ae053b8d156a32de28181d6c92ad488fabe26cd789816fddffc0575f06163bc0d9f8e8fb53c143f42b82f7fea4714598afe3f4059b8f

    • memory/3612-10-0x0000000003600000-0x000000000364A000-memory.dmp

      Filesize

      296KB

    • memory/3612-13-0x0000000003790000-0x00000000037E8000-memory.dmp

      Filesize

      352KB

    • memory/3612-14-0x0000000003790000-0x00000000037E8000-memory.dmp

      Filesize

      352KB

    • memory/3612-16-0x0000000003790000-0x00000000037E8000-memory.dmp

      Filesize

      352KB

    • memory/3612-25-0x0000000003790000-0x00000000037E8000-memory.dmp

      Filesize

      352KB

    • memory/4260-8-0x00000000009A0000-0x0000000000A09000-memory.dmp

      Filesize

      420KB