Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

3

df2175421c...4d.exe

windows10-2004-x64

3

Resubmissions

05/02/2025, 10:34

250205-mmg7watqer 3

05/02/2025, 10:33

250205-mljdjssnet 3

22/06/2024, 18:41

240622-xb3pjsyhpe 10

22/06/2024, 17:04

240622-vlcj1azdrp 10

Analysis

  • max time kernel
    194s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/02/2025, 10:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe

  • Size

    534KB

  • MD5

    8e8eaa9b81f664c796225ac49e9ecb71

  • SHA1

    320e25a4b4918dd76582c7f7e68f3d68268b17f7

  • SHA256

    df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d

  • SHA512

    66529bd7faa3275856fa87e7ec5ed250b0fc694f12e5fab2d1e84aa367844d42c7a19911065c9f2985752d55addc921797c77861081f2f40b5f1a69f84d935d0

  • SSDEEP

    12288:1FF+1IiVMR/La01MZa03EiYIRKoMDKd+A1Ll7e7:1FFroMROFZa03EiYILWWvll74

Score
3/10
discovery

Malware Config

Signatures

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe
    "C:\Users\Admin\AppData\Local\Temp\df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:3400
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 544
      2⤵
      • Program crash
      PID:3320
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 552
      2⤵
      • Program crash
      PID:772
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:316
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3400 -ip 3400
    1⤵
      PID:2156
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3400 -ip 3400
      1⤵
        PID:1536
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\RenameImport.docx" /o ""
        1⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:3236

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
        Filesize

        270B

        MD5

        e30e6ef86a47d64b5d890b46533fcd72

        SHA1

        819269f3df81bc20a233d66c9a923ba9bffa70be

        SHA256

        a6122255f19a453049ebce945d5b841a4d3b44d9c6461a012435663b8f8807cf

        SHA512

        1026945f06e63470f382c086708650f264ca1d21b7e8b0b5afab8a126a7c53363b8bed651887bb4c27114015df60716b337da9c1e8173363c9823f5ad0f12f63

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
        Filesize

        12B

        MD5

        f6f801e5b0502f5e803ed826dd37ae44

        SHA1

        273e87aa518397186653443c0c3e81d574361708

        SHA256

        e7bcd23ba708556ee69f96050dc7e74f9dab95825bfab48bcea7fd8fac482fd1

        SHA512

        8fe0217b9c7f9331664dc4259c7924b9c7e5e145f0b795ec98d713e41a2e3d001014b3ac41071fe41447632ddbfbbefc8c7d6de8fa9faeca455a0a78575e5584

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
        Filesize

        1KB

        MD5

        1cf6c088c953e4da68f4635d9da2b134

        SHA1

        475d17f32875416d698c9c86745ecc2d73303e18

        SHA256

        ed5756e02736321174ce32582b30a4c592691a71762bee61c3f7736fb62c7a3f

        SHA512

        d2cd2d4f2ce40ce094188d215360286b680a204ab3ee39746d7c6d41ae71d21c874c9015059f677de51a987a3c77654be1edb4e1476a8ef44967d3087ac94b0c

        Download Submit

      • memory/316-9-0x00000174EDFB0000-0x00000174EDFB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/316-0-0x00000174EDFB0000-0x00000174EDFB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/316-10-0x00000174EDFB0000-0x00000174EDFB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/316-2-0x00000174EDFB0000-0x00000174EDFB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/316-8-0x00000174EDFB0000-0x00000174EDFB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/316-7-0x00000174EDFB0000-0x00000174EDFB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/316-6-0x00000174EDFB0000-0x00000174EDFB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/316-1-0x00000174EDFB0000-0x00000174EDFB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/316-11-0x00000174EDFB0000-0x00000174EDFB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/316-12-0x00000174EDFB0000-0x00000174EDFB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3236-17-0x00007FFCCDB70000-0x00007FFCCDB80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-19-0x00007FFCCDB70000-0x00007FFCCDB80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-20-0x00007FFCCDB70000-0x00007FFCCDB80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-21-0x00007FFCCB9B0000-0x00007FFCCB9C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-22-0x00007FFCCB9B0000-0x00007FFCCB9C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-18-0x00007FFCCDB70000-0x00007FFCCDB80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-16-0x00007FFCCDB70000-0x00007FFCCDB80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-87-0x00007FFCCDB70000-0x00007FFCCDB80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-88-0x00007FFCCDB70000-0x00007FFCCDB80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-90-0x00007FFCCDB70000-0x00007FFCCDB80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-89-0x00007FFCCDB70000-0x00007FFCCDB80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3400-14-0x0000000000400000-0x0000000004E4F000-memory.dmp

        Filesize

        74.3MB

        Download