Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
24/12/2024, 21:31
Static task
static1
Behavioral task
behavioral1
Sample
3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe
Resource
win10v2004-20241007-en
General
-
Target
3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe
-
Size
90KB
-
MD5
ea2f0bab000cc4cc8e6ab767e7a82304
-
SHA1
f33c39cb5389b28d2d990735319ed154bd42b698
-
SHA256
3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9
-
SHA512
24fa1cb22e2fc981bd4305274d71e6cc15a9efbba49d853cd4ca79d6fa76291d5864c6458207f3b7ab26c5d01fed0dd89e6dc315ebf4094f00f6ec6122843832
-
SSDEEP
1536:beCgdjTg0iDjC0WiQ3/3FW0oVzG0u/Ub0VkVN6:bbgJIjILvs0CG0u/Ub0+N6
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpgnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fedfgejh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fedfgejh.exe -
Berbew family
-
Executes dropped EXE 3 IoCs
pid Process 2380 Fpgnoo32.exe 2504 Fedfgejh.exe 2748 Flnndp32.exe -
Loads dropped DLL 10 IoCs
pid Process 1760 3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe 1760 3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe 2380 Fpgnoo32.exe 2380 Fpgnoo32.exe 2504 Fedfgejh.exe 2504 Fedfgejh.exe 2044 WerFault.exe 2044 WerFault.exe 2044 WerFault.exe 2044 WerFault.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fedfgejh.exe Fpgnoo32.exe File opened for modification C:\Windows\SysWOW64\Fpgnoo32.exe 3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe File created C:\Windows\SysWOW64\Mjpdkq32.dll 3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe File opened for modification C:\Windows\SysWOW64\Fedfgejh.exe Fpgnoo32.exe File created C:\Windows\SysWOW64\Kmpnop32.dll Fpgnoo32.exe File created C:\Windows\SysWOW64\Flnndp32.exe Fedfgejh.exe File opened for modification C:\Windows\SysWOW64\Flnndp32.exe Fedfgejh.exe File created C:\Windows\SysWOW64\Onndkg32.dll Fedfgejh.exe File created C:\Windows\SysWOW64\Fpgnoo32.exe 3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2044 2748 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgnoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fedfgejh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnndp32.exe -
Modifies registry class 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpdkq32.dll" 3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpgnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpgnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll" Fedfgejh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpnop32.dll" Fpgnoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fedfgejh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fedfgejh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1760 wrote to memory of 2380 1760 3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe 30 PID 1760 wrote to memory of 2380 1760 3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe 30 PID 1760 wrote to memory of 2380 1760 3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe 30 PID 1760 wrote to memory of 2380 1760 3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe 30 PID 2380 wrote to memory of 2504 2380 Fpgnoo32.exe 31 PID 2380 wrote to memory of 2504 2380 Fpgnoo32.exe 31 PID 2380 wrote to memory of 2504 2380 Fpgnoo32.exe 31 PID 2380 wrote to memory of 2504 2380 Fpgnoo32.exe 31 PID 2504 wrote to memory of 2748 2504 Fedfgejh.exe 32 PID 2504 wrote to memory of 2748 2504 Fedfgejh.exe 32 PID 2504 wrote to memory of 2748 2504 Fedfgejh.exe 32 PID 2504 wrote to memory of 2748 2504 Fedfgejh.exe 32 PID 2748 wrote to memory of 2044 2748 Flnndp32.exe 33 PID 2748 wrote to memory of 2044 2748 Flnndp32.exe 33 PID 2748 wrote to memory of 2044 2748 Flnndp32.exe 33 PID 2748 wrote to memory of 2044 2748 Flnndp32.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe"C:\Users\Admin\AppData\Local\Temp\3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Fpgnoo32.exeC:\Windows\system32\Fpgnoo32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Fedfgejh.exeC:\Windows\system32\Fedfgejh.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Flnndp32.exeC:\Windows\system32\Flnndp32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 1405⤵
- Loads dropped DLL
- Program crash
PID:2044
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5a8a307f72b0590f6eedb130e1b916fe6
SHA119e9aa9ba4d213e3fa25acffab9b570ff8fe73df
SHA256819714c4108e78e131d9fe2402a5352f712f2d26430f8e407e9b39f9a5714908
SHA5121a285b694fa73611ea4c0ab197dc3f558f4e5814de8775b1b77309a20485415cc0840a60ef876a5df582a34232bb306b25ff1fcddd18982de6d8ec1ed0981d05
-
Filesize
90KB
MD5ea6634ea0a68e39cd215eb45aab407e1
SHA1caef5d8567b208de054bf2220fa7eddc40d8603e
SHA25634b30d8721eea9c6c6438d53f13960b5f1cf89837e2dc0afbd123d99224e3769
SHA512b167ca35420fc75d2de6f22695244cf70f9e1b2183668c5e0068759b7308695318e7bf14c971e1f5412e9383393e5d3e771b35b48a65fcd5a1bfc915c6a71bc9
-
Filesize
90KB
MD571725a2299179bb59a18ed3525bf4b08
SHA18e8be64c58ab65f9426312c1906b955b41da3cdd
SHA256a977f6dbe074201dbaca0512b992f63600bf6cc98728d95c732eab4884637c77
SHA512503855c8a87258b3f906e08018d02425f70f909cb7f0298e19f7eef09034fbad016bd755b04188a0aff1f0f75f717e09c03cd03e0bc9f554a0a1593bc6b0596e