Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
97s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 06:04
Static task
static1
Behavioral task
behavioral1
Sample
87ca1f20008c059dad9a11dac796f880N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
87ca1f20008c059dad9a11dac796f880N.exe
Resource
win10v2004-20240802-en
General
-
Target
87ca1f20008c059dad9a11dac796f880N.exe
-
Size
268KB
-
MD5
87ca1f20008c059dad9a11dac796f880
-
SHA1
d74b4a3c65100297f479dcafa719160625084180
-
SHA256
90afea750965d4cf4417e85f801484f26dd2b019a48c036442f1024d9c106627
-
SHA512
22d9735d07ad99dbe35cb5175c102201f691a3a08516dc808784cf5503ae32449230a278b3ef7d72b64b53a5a50fb8508638a047630520d460a4592f94f4cb65
-
SSDEEP
6144:OE7ajqCr7i0fYl4KLTQWA4VRfLM34Tb6wHiAUgP4/Q+t24RIngW4:OHiH5bMxynp4
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4952 87ca1f20008c059dad9a11dac796f880N.exe -
Executes dropped EXE 1 IoCs
pid Process 4952 87ca1f20008c059dad9a11dac796f880N.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2400 5012 WerFault.exe 84 4636 4952 WerFault.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 87ca1f20008c059dad9a11dac796f880N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5012 87ca1f20008c059dad9a11dac796f880N.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 4952 87ca1f20008c059dad9a11dac796f880N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5012 wrote to memory of 4952 5012 87ca1f20008c059dad9a11dac796f880N.exe 92 PID 5012 wrote to memory of 4952 5012 87ca1f20008c059dad9a11dac796f880N.exe 92 PID 5012 wrote to memory of 4952 5012 87ca1f20008c059dad9a11dac796f880N.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\87ca1f20008c059dad9a11dac796f880N.exe"C:\Users\Admin\AppData\Local\Temp\87ca1f20008c059dad9a11dac796f880N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 3962⤵
- Program crash
PID:2400
-
-
C:\Users\Admin\AppData\Local\Temp\87ca1f20008c059dad9a11dac796f880N.exeC:\Users\Admin\AppData\Local\Temp\87ca1f20008c059dad9a11dac796f880N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4952 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 3643⤵
- Program crash
PID:4636
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5012 -ip 50121⤵PID:3196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4952 -ip 49521⤵PID:4556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
MD5c7d95cd5b20457423543608ae83f7297
SHA111d9fb190792f899ac2ae0ddfcac64dc6209c1a7
SHA2565a8f6c6d1f0817f7d96d2d48a6651c948df5fc79c1b57414c2d9d6d9d2d83a93
SHA512fc2406d6952d7f7cd737901474295921549d83fadca253c5636d9ab44b07a49c806eb01ea4ddfbfa35a1543caca6ab88e6eccbb2dd647b70ba61d0037f793dc1