Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
12/09/2024, 03:29
Static task
static1
Behavioral task
behavioral1
Sample
7047b08b0091eecbc20b8f213dc446650befe900b586ac51ae2b3a5ebba44f4e.exe
Resource
win10v2004-20240802-en
General
-
Target
7047b08b0091eecbc20b8f213dc446650befe900b586ac51ae2b3a5ebba44f4e.exe
-
Size
422KB
-
MD5
6033e7a30bae3bf5950789361921c795
-
SHA1
f3dfad41c52bad70e6afb92864dca1132963a95e
-
SHA256
7047b08b0091eecbc20b8f213dc446650befe900b586ac51ae2b3a5ebba44f4e
-
SHA512
2a5d0c723cbd7a968881d55faaefef6138d3566d29f9191a1d26ec131a5585a89f395921e08457d21f749e6824a63e2e6ab58099639d88854260dd8659c30ce8
-
SSDEEP
6144:1EPt4XFZoFd1JuB90/vTRrJgDKVJaoHSF68pXzHP6B:4tpFRecrV6oqHi
Malware Config
Extracted
gcleaner
80.66.75.114
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
pid pid_target Process procid_target 124 952 WerFault.exe 77 1084 952 WerFault.exe 77 3020 952 WerFault.exe 77 4604 952 WerFault.exe 77 788 952 WerFault.exe 77 1660 952 WerFault.exe 77 2944 952 WerFault.exe 77 1664 952 WerFault.exe 77 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7047b08b0091eecbc20b8f213dc446650befe900b586ac51ae2b3a5ebba44f4e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Kills process with taskkill 1 IoCs
pid Process 968 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 968 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 952 wrote to memory of 1668 952 7047b08b0091eecbc20b8f213dc446650befe900b586ac51ae2b3a5ebba44f4e.exe 93 PID 952 wrote to memory of 1668 952 7047b08b0091eecbc20b8f213dc446650befe900b586ac51ae2b3a5ebba44f4e.exe 93 PID 952 wrote to memory of 1668 952 7047b08b0091eecbc20b8f213dc446650befe900b586ac51ae2b3a5ebba44f4e.exe 93 PID 1668 wrote to memory of 968 1668 cmd.exe 96 PID 1668 wrote to memory of 968 1668 cmd.exe 96 PID 1668 wrote to memory of 968 1668 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\7047b08b0091eecbc20b8f213dc446650befe900b586ac51ae2b3a5ebba44f4e.exe"C:\Users\Admin\AppData\Local\Temp\7047b08b0091eecbc20b8f213dc446650befe900b586ac51ae2b3a5ebba44f4e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 7722⤵
- Program crash
PID:124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 8162⤵
- Program crash
PID:1084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 7722⤵
- Program crash
PID:3020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 8442⤵
- Program crash
PID:4604
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 9522⤵
- Program crash
PID:788
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 10602⤵
- Program crash
PID:1660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 14282⤵
- Program crash
PID:2944
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "7047b08b0091eecbc20b8f213dc446650befe900b586ac51ae2b3a5ebba44f4e.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7047b08b0091eecbc20b8f213dc446650befe900b586ac51ae2b3a5ebba44f4e.exe" & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "7047b08b0091eecbc20b8f213dc446650befe900b586ac51ae2b3a5ebba44f4e.exe" /f3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:968
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 14802⤵
- Program crash
PID:1664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 952 -ip 9521⤵PID:388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 952 -ip 9521⤵PID:5008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 952 -ip 9521⤵PID:1384
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 952 -ip 9521⤵PID:3936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 952 -ip 9521⤵PID:840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 952 -ip 9521⤵PID:1224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 952 -ip 9521⤵PID:3328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 952 -ip 9521⤵PID:1488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99