Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    95s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 18:00

General

  • Target

    916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe

  • Size

    307KB

  • MD5

    28f2c3e63f1fd1357d2cfe72869b53c0

  • SHA1

    173d8ff1943f864ea06ef27921ed0e5e2216666f

  • SHA256

    916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecde

  • SHA512

    c1fe8d6e948521b9d30e4275031b1ff2a2ffb4ff5bd1b0214e631cc4efe3e2613d3edd27c437329edce64f09c35721cc132604c9c2631f2c0269c7ad7a9d9994

  • SSDEEP

    6144:RNeZbN827N5wptBh8EF6+ofNxn1g50EG8Y0lWNe7I+4auF9PX:RNONvJ+ptBCU6++gr86I+69PX

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe
    "C:\Users\Admin\AppData\Local\Temp\916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe
      C:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe C:\Users\Admin\AppData\Local\Temp\ukilojtrz
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe
        C:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe C:\Users\Admin\AppData\Local\Temp\ukilojtrz
        3⤵
          PID:3012
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 520
          3⤵
          • Program crash
          PID:1324
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2764 -ip 2764
      1⤵
        PID:2212

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\0j9qjdm913vb7j0eyxt

        Filesize

        213KB

        MD5

        46ff5a0f2ac2424921fd161e8497dd6a

        SHA1

        0086ed96bc8f03dd77eba02e5669fe1c54f90d79

        SHA256

        e8ccd88569cf6f25118135c988a15b8deab2bb3789537182219c41a33b08654b

        SHA512

        dad931f448fa198e666ea3d39d7941b0a385f64c67a2a1a5533ae6f3a0b199b3cd47dd622d3029b7e338a1f2ede917db58b3d9eb481474e5e47566775c3756b1

      • C:\Users\Admin\AppData\Local\Temp\ukilojtrz

        Filesize

        4KB

        MD5

        94cdc5fa8c30e1c1d361a4d7deb9b3ca

        SHA1

        c1c7316895f5aa5cd5b51ef876056dbcb0814632

        SHA256

        e6f2622adb08b89a002a501a6c6615291eec326f6233a57152545fa3afa2a856

        SHA512

        dc7edda3e1f9e4947c9da0f6f63ffe46865d2f9225e2cca36c2292b8710610da2417e1067fde99fffd110012965fe7eda75fc7f8e662edb3e4c0a8c387ef8d7c

      • C:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe

        Filesize

        4KB

        MD5

        daa39e25fb5b25bd1e42408efdac928f

        SHA1

        665426ddf94268322d180128a92ddb2f45b1d3b8

        SHA256

        7e5a0ec65f4c96a6b8de07c341282da8777fc45f4976e415f1738fa165d0a272

        SHA512

        42cae6cc93a923965a65b70c68a46e63246d5af0175cbf7e4fc33ecf8d5bd2ffc1395c4237411292136daf36ebf132567cfa2f6dc2a7ec7d33d482cee2cb4903

      • memory/2764-8-0x0000000003120000-0x0000000003122000-memory.dmp

        Filesize

        8KB