Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

0853e3768a...7b.exe

windows7-x64

10

0853e3768a...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 19:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0853e3768a9c5d8eacc4b15111a52e3ed7dbe6ef613e9898e8fe985cf54d8f7b.exe

  • Size

    172KB

  • MD5

    912c02154770a89406d23ed4bd75e759

  • SHA1

    ecfd448f752ae9d68c1e6b59fe8eb001f9b8343b

  • SHA256

    0853e3768a9c5d8eacc4b15111a52e3ed7dbe6ef613e9898e8fe985cf54d8f7b

  • SHA512

    6557e3f315374d92de2736c48d7e465c9eb0e9678d4919dba4b8156f7acda0df7ec8fff67539c2c0c5bc3404ed2b255a6592204a774185d46af83e1cbe8f8b12

  • SSDEEP

    3072:LjP8K39eB8R8oSx/mOEAFIFR7N3ims2+9AhLOG7GQiCLMt8Xq/WL8mger:LD8q9hR8oSx/mOEAFIFR7NHl++hLOG7b

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0853e3768a9c5d8eacc4b15111a52e3ed7dbe6ef613e9898e8fe985cf54d8f7b.exe
    "C:\Users\Admin\AppData\Local\Temp\0853e3768a9c5d8eacc4b15111a52e3ed7dbe6ef613e9898e8fe985cf54d8f7b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Users\Admin\xxreuw.exe
      "C:\Users\Admin\xxreuw.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2200

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\xxreuw.exe
    Filesize

    172KB

    MD5

    3d0c40833ad5b77d69c9f0b45cd4edc3

    SHA1

    a844c97b599f463059d2510d6e7f3f649681cd15

    SHA256

    3876e8bd353ae12f1a96a65db66d2a5a696b5778545fa2025acd0803abc405fc

    SHA512

    b907c17d0a2571492cb607a51b63c8b204ca9a17f9cd4a24fd11c56a832af8fd386530ab8dbc4fc83281c5d89bf0cbd66d385ebac5f24978dc0e3300912b1f74

    Download Submit

  • C:\Users\Admin\xxreuw.exe
    Filesize

    172KB

    MD5

    3d0c40833ad5b77d69c9f0b45cd4edc3

    SHA1

    a844c97b599f463059d2510d6e7f3f649681cd15

    SHA256

    3876e8bd353ae12f1a96a65db66d2a5a696b5778545fa2025acd0803abc405fc

    SHA512

    b907c17d0a2571492cb607a51b63c8b204ca9a17f9cd4a24fd11c56a832af8fd386530ab8dbc4fc83281c5d89bf0cbd66d385ebac5f24978dc0e3300912b1f74

    Download Submit