Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 14:20

General

  • Target

    853dd593ac5cdf53c30c2e7574c020d0N.exe

  • Size

    501KB

  • MD5

    853dd593ac5cdf53c30c2e7574c020d0

  • SHA1

    d84e753ca8b99a885beedf5e2e9461f9e2cccc7e

  • SHA256

    c04302bda647b86a3a35e45b4f8dff5bee493654be0cc92afc5ae9c6f7f814e5

  • SHA512

    c2f4c8db80bca6ca122ca22e07be9d6bfcfd2423308bbedd9493d5442142b46443786165a7c7127c25e757478c10adc5d1d6257dc0c30f72f6cbe8075f6b7c40

  • SSDEEP

    12288:PNLK9FChuDDcN6QPaCcn8Is9dO9LCs+ea4aXTy:V/y0PaCcnQPs+ead

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\853dd593ac5cdf53c30c2e7574c020d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\853dd593ac5cdf53c30c2e7574c020d0N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Users\Admin\AppData\Local\Temp\853dd593ac5cdf53c30c2e7574c020d0N.exe
      C:\Users\Admin\AppData\Local\Temp\853dd593ac5cdf53c30c2e7574c020d0N.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:804
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\853dd593ac5cdf53c30c2e7574c020d0N.exe" /TN I8mYOnEac625 /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3880
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c schtasks.exe /Query /XML /TN I8mYOnEac625 > C:\Users\Admin\AppData\Local\Temp\bS9wM7isW.xml
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4624
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Query /XML /TN I8mYOnEac625
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1436
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 604
        3⤵
        • Program crash
        PID:3308
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 632
        3⤵
        • Program crash
        PID:3544
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 804 -ip 804
    1⤵
      PID:1612
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 804 -ip 804
      1⤵
        PID:2180

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\853dd593ac5cdf53c30c2e7574c020d0N.exe

        Filesize

        501KB

        MD5

        2709e4367d323364e65d7c1570eda078

        SHA1

        34be9a290d230897bb79fae2a0418b8db562bb43

        SHA256

        e369986a7791b6c9b04cddd218db8c11f522fcfa096e127b5a8df73093e64b12

        SHA512

        f400c75d2f03e9a2e17c1e51528b1711ee65ba44b401f6c895e33292dc1f40c3a5309e23a59f4adc7b9314c389f364ada2777c6d09aea190dec539b820dba095

      • C:\Users\Admin\AppData\Local\Temp\bS9wM7isW.xml

        Filesize

        1KB

        MD5

        2a20a7fe54fb189ee3e65a3f0cbc3e3f

        SHA1

        c44104315828b56810f424eb41a5c82566cb1627

        SHA256

        fb445baddcacc72bb5fa18f8f839854f60c006043b77635025d81bf18eebe408

        SHA512

        e5d1dd0d3c6888eceb57eb9ea661b30551cda787e3d518a9216a46f456083f58ba669f414eb07ab310cf231848ab7697e12efb90939158a624062d8ecb29f0b2

      • memory/804-14-0x0000000000400000-0x000000000065C000-memory.dmp

        Filesize

        2.4MB

      • memory/804-21-0x0000000025020000-0x000000002509E000-memory.dmp

        Filesize

        504KB

      • memory/804-22-0x0000000000470000-0x00000000004DB000-memory.dmp

        Filesize

        428KB

      • memory/804-23-0x0000000000400000-0x000000000045B000-memory.dmp

        Filesize

        364KB

      • memory/804-44-0x0000000000400000-0x000000000065C000-memory.dmp

        Filesize

        2.4MB

      • memory/1656-0-0x0000000000400000-0x000000000065C000-memory.dmp

        Filesize

        2.4MB

      • memory/1656-1-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/1656-7-0x0000000024FE0000-0x000000002505E000-memory.dmp

        Filesize

        504KB

      • memory/1656-13-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB