Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 05:42
Behavioral task
behavioral1
Sample
4ec77f5f77d8529a32f7dd57ddff7ad5965e205dce1cb7fc2a7b5810c0da3a4dN.exe
Resource
win7-20240903-en
General
-
Target
4ec77f5f77d8529a32f7dd57ddff7ad5965e205dce1cb7fc2a7b5810c0da3a4dN.exe
-
Size
413KB
-
MD5
e451b5df605f0d8c71aabdcd14c2d740
-
SHA1
5a44a48c536377ef6b311c31dc42170b2c7e2277
-
SHA256
4ec77f5f77d8529a32f7dd57ddff7ad5965e205dce1cb7fc2a7b5810c0da3a4d
-
SHA512
403efb9868f7c977182e47f5feddb33f13c3eb22e1147387d94b5410ca1ea39109dddf6efd1438f10cbc9dab45333ce9b497b048e4e072bbb07bb98693fea5e9
-
SSDEEP
12288:Ax0L1e1+sztEFXdewVNNiHGuEUL7Jfa7nIC:Ax0L1qEPeWrNg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 728 Griwua.exe -
resource yara_rule behavioral2/memory/4796-0-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/files/0x0007000000023437-9.dat upx -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Griwua.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Griwua.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 4ec77f5f77d8529a32f7dd57ddff7ad5965e205dce1cb7fc2a7b5810c0da3a4dN.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 4ec77f5f77d8529a32f7dd57ddff7ad5965e205dce1cb7fc2a7b5810c0da3a4dN.exe File created C:\Windows\Griwua.exe 4ec77f5f77d8529a32f7dd57ddff7ad5965e205dce1cb7fc2a7b5810c0da3a4dN.exe File opened for modification C:\Windows\Griwua.exe 4ec77f5f77d8529a32f7dd57ddff7ad5965e205dce1cb7fc2a7b5810c0da3a4dN.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 89276 728 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ec77f5f77d8529a32f7dd57ddff7ad5965e205dce1cb7fc2a7b5810c0da3a4dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Griwua.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main Griwua.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe 728 Griwua.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 728 Griwua.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4796 wrote to memory of 728 4796 4ec77f5f77d8529a32f7dd57ddff7ad5965e205dce1cb7fc2a7b5810c0da3a4dN.exe 82 PID 4796 wrote to memory of 728 4796 4ec77f5f77d8529a32f7dd57ddff7ad5965e205dce1cb7fc2a7b5810c0da3a4dN.exe 82 PID 4796 wrote to memory of 728 4796 4ec77f5f77d8529a32f7dd57ddff7ad5965e205dce1cb7fc2a7b5810c0da3a4dN.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ec77f5f77d8529a32f7dd57ddff7ad5965e205dce1cb7fc2a7b5810c0da3a4dN.exe"C:\Users\Admin\AppData\Local\Temp\4ec77f5f77d8529a32f7dd57ddff7ad5965e205dce1cb7fc2a7b5810c0da3a4dN.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\Griwua.exeC:\Windows\Griwua.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:728 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 7563⤵
- Program crash
PID:89276
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 728 -ip 7281⤵PID:89304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
413KB
MD5e451b5df605f0d8c71aabdcd14c2d740
SHA15a44a48c536377ef6b311c31dc42170b2c7e2277
SHA2564ec77f5f77d8529a32f7dd57ddff7ad5965e205dce1cb7fc2a7b5810c0da3a4d
SHA512403efb9868f7c977182e47f5feddb33f13c3eb22e1147387d94b5410ca1ea39109dddf6efd1438f10cbc9dab45333ce9b497b048e4e072bbb07bb98693fea5e9
-
Filesize
428B
MD5eea5bbd43657efd3278c46a5fd7bd6ae
SHA16cd704d799d0220be4fa89665d504581e3dc33b7
SHA256c69bf1fc1a2d494e53ed6c90e94a7a79f118aed0aa7378b413f93c0637c022cb
SHA512be6a80e4a9f0f8c2d9c9548d34cbd0ac36ef500c5f90c9c1e3e706cd0c01b001757934d04b50621ff384e45f2f5e08d534de3137d02f163c5ed47c8bf3d852a8