Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 14:20
Behavioral task
behavioral1
Sample
853dd593ac5cdf53c30c2e7574c020d0N.exe
Resource
win7-20240903-en
General
-
Target
853dd593ac5cdf53c30c2e7574c020d0N.exe
-
Size
501KB
-
MD5
853dd593ac5cdf53c30c2e7574c020d0
-
SHA1
d84e753ca8b99a885beedf5e2e9461f9e2cccc7e
-
SHA256
c04302bda647b86a3a35e45b4f8dff5bee493654be0cc92afc5ae9c6f7f814e5
-
SHA512
c2f4c8db80bca6ca122ca22e07be9d6bfcfd2423308bbedd9493d5442142b46443786165a7c7127c25e757478c10adc5d1d6257dc0c30f72f6cbe8075f6b7c40
-
SSDEEP
12288:PNLK9FChuDDcN6QPaCcn8Is9dO9LCs+ea4aXTy:V/y0PaCcnQPs+ead
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 804 853dd593ac5cdf53c30c2e7574c020d0N.exe -
Executes dropped EXE 1 IoCs
pid Process 804 853dd593ac5cdf53c30c2e7574c020d0N.exe -
resource yara_rule behavioral2/memory/1656-0-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral2/files/0x000900000002346d-12.dat upx behavioral2/memory/804-14-0x0000000000400000-0x000000000065C000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 8 pastebin.com -
Program crash 2 IoCs
pid pid_target Process procid_target 3308 804 WerFault.exe 84 3544 804 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 853dd593ac5cdf53c30c2e7574c020d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 853dd593ac5cdf53c30c2e7574c020d0N.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3880 schtasks.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1656 853dd593ac5cdf53c30c2e7574c020d0N.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1656 853dd593ac5cdf53c30c2e7574c020d0N.exe 804 853dd593ac5cdf53c30c2e7574c020d0N.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1656 wrote to memory of 804 1656 853dd593ac5cdf53c30c2e7574c020d0N.exe 84 PID 1656 wrote to memory of 804 1656 853dd593ac5cdf53c30c2e7574c020d0N.exe 84 PID 1656 wrote to memory of 804 1656 853dd593ac5cdf53c30c2e7574c020d0N.exe 84 PID 804 wrote to memory of 3880 804 853dd593ac5cdf53c30c2e7574c020d0N.exe 85 PID 804 wrote to memory of 3880 804 853dd593ac5cdf53c30c2e7574c020d0N.exe 85 PID 804 wrote to memory of 3880 804 853dd593ac5cdf53c30c2e7574c020d0N.exe 85 PID 804 wrote to memory of 4624 804 853dd593ac5cdf53c30c2e7574c020d0N.exe 87 PID 804 wrote to memory of 4624 804 853dd593ac5cdf53c30c2e7574c020d0N.exe 87 PID 804 wrote to memory of 4624 804 853dd593ac5cdf53c30c2e7574c020d0N.exe 87 PID 4624 wrote to memory of 1436 4624 cmd.exe 90 PID 4624 wrote to memory of 1436 4624 cmd.exe 90 PID 4624 wrote to memory of 1436 4624 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\853dd593ac5cdf53c30c2e7574c020d0N.exe"C:\Users\Admin\AppData\Local\Temp\853dd593ac5cdf53c30c2e7574c020d0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\853dd593ac5cdf53c30c2e7574c020d0N.exeC:\Users\Admin\AppData\Local\Temp\853dd593ac5cdf53c30c2e7574c020d0N.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\853dd593ac5cdf53c30c2e7574c020d0N.exe" /TN I8mYOnEac625 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3880
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks.exe /Query /XML /TN I8mYOnEac625 > C:\Users\Admin\AppData\Local\Temp\bS9wM7isW.xml3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Query /XML /TN I8mYOnEac6254⤵
- System Location Discovery: System Language Discovery
PID:1436
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 6043⤵
- Program crash
PID:3308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 6323⤵
- Program crash
PID:3544
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 804 -ip 8041⤵PID:1612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 804 -ip 8041⤵PID:2180
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
501KB
MD52709e4367d323364e65d7c1570eda078
SHA134be9a290d230897bb79fae2a0418b8db562bb43
SHA256e369986a7791b6c9b04cddd218db8c11f522fcfa096e127b5a8df73093e64b12
SHA512f400c75d2f03e9a2e17c1e51528b1711ee65ba44b401f6c895e33292dc1f40c3a5309e23a59f4adc7b9314c389f364ada2777c6d09aea190dec539b820dba095
-
Filesize
1KB
MD52a20a7fe54fb189ee3e65a3f0cbc3e3f
SHA1c44104315828b56810f424eb41a5c82566cb1627
SHA256fb445baddcacc72bb5fa18f8f839854f60c006043b77635025d81bf18eebe408
SHA512e5d1dd0d3c6888eceb57eb9ea661b30551cda787e3d518a9216a46f456083f58ba669f414eb07ab310cf231848ab7697e12efb90939158a624062d8ecb29f0b2