Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    92s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/11/2024, 02:55 UTC

General

  • Target

    0620ab84a45ac413a3ce956eaf04c3a5ac8bc20983c4d3ddfc4a1ef18b2bddeb.exe

  • Size

    406KB

  • MD5

    42954817f830f1df94113a43b4a592ea

  • SHA1

    bbb14840fa7b225e98bf4d80d91adda19a27dd20

  • SHA256

    0620ab84a45ac413a3ce956eaf04c3a5ac8bc20983c4d3ddfc4a1ef18b2bddeb

  • SHA512

    eaff6c0cdf4d2c954ca70058c0755ca66f486c08e720f1f93bdc5f0e6e989b7adef41fc84409bc7273e907051e718f4a96618011bb9419166bbaf19c885f393a

  • SSDEEP

    6144:hBlL/hlqQxBiHB354KnTppIOtFCGArQ3DOgcdkoMF247Ssd/6HQzXG:nMHAKnTsOtFTAQDOgZLFVGtHQzXG

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0620ab84a45ac413a3ce956eaf04c3a5ac8bc20983c4d3ddfc4a1ef18b2bddeb.exe
    "C:\Users\Admin\AppData\Local\Temp\0620ab84a45ac413a3ce956eaf04c3a5ac8bc20983c4d3ddfc4a1ef18b2bddeb.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3252
    • C:\Users\Admin\AppData\Local\Temp\0620ab84a45ac413a3ce956eaf04c3a5ac8bc20983c4d3ddfc4a1ef18b2bddeb.exe
      "C:\Users\Admin\AppData\Local\Temp\0620ab84a45ac413a3ce956eaf04c3a5ac8bc20983c4d3ddfc4a1ef18b2bddeb.exe"
      2⤵
        PID:404
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1032
        2⤵
        • Program crash
        PID:4048
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3252 -ip 3252
      1⤵
        PID:3588

      Network

      • flag-us
        DNS
        58.55.71.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        58.55.71.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        240.221.184.93.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        240.221.184.93.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        64.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        64.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        28.118.140.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        28.118.140.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        154.239.44.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        154.239.44.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        212.20.149.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        212.20.149.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        18.31.95.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        18.31.95.13.in-addr.arpa
        IN PTR
        Response
      No results found
      • 8.8.8.8:53
        58.55.71.13.in-addr.arpa
        dns
        70 B
        144 B
        1
        1

        DNS Request

        58.55.71.13.in-addr.arpa

      • 8.8.8.8:53
        240.221.184.93.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        240.221.184.93.in-addr.arpa

      • 8.8.8.8:53
        64.159.190.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        64.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        28.118.140.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        28.118.140.52.in-addr.arpa

      • 8.8.8.8:53
        154.239.44.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        154.239.44.20.in-addr.arpa

      • 8.8.8.8:53
        212.20.149.52.in-addr.arpa
        dns
        72 B
        146 B
        1
        1

        DNS Request

        212.20.149.52.in-addr.arpa

      • 8.8.8.8:53
        18.31.95.13.in-addr.arpa
        dns
        70 B
        144 B
        1
        1

        DNS Request

        18.31.95.13.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nsm7D5F.tmp\fqfwqcrlvs.dll

        Filesize

        48KB

        MD5

        2dcfaed029e76d404de8c562e9618fc3

        SHA1

        ad586f14bf71ea471905da2e424e872432f60d5e

        SHA256

        54e000d6cbf51dbda212135ecaeae42da9bbd5e4d42bfe472c1df975308ef4ec

        SHA512

        953da849e7f926ff617a9aca550bda7693b66a58a86da4ae202d4423a926a0d0adfaf7331d9ca113f0f5c867ebaa703f467b642e2ac3735ba811868cebf0427a

      • memory/3252-7-0x0000000074DEC000-0x0000000074DEE000-memory.dmp

        Filesize

        8KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.