Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

3e41a0f4a2...ex.exe

windows7-x64

7

3e41a0f4a2...ex.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/07/2023, 16:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e41a0f4a27f1fexeexeexeex.exe

  • Size

    35KB

  • MD5

    3e41a0f4a27f1fab532dd1888aa49e13

  • SHA1

    7b1b12f9e4cfb71d0d0e522b245925a605c4a5b5

  • SHA256

    80a36bdaf3a6beafffd4d8880aaaeec0b38fbb8528385ebb6aad24eea2fd7978

  • SHA512

    31030918cc0c83009966eeec9b7a95406d65165ee2d6be444ece7702e374cd8d88689207cbcbc3b0ced78bb0eac7406db65ef3265de4eca53c7469e39c3b2e5d

  • SSDEEP

    384:bgX4uGLLQRcsdeQ7/nQu63Ag7YmecFanrlwfjDUkKDfWf0w3Yxp4Hxp1yf:bgX4zYcgTEu6QOaryfjqDDw30G1yf

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e41a0f4a27f1fexeexeexeex.exe
    "C:\Users\Admin\AppData\Local\Temp\3e41a0f4a27f1fexeexeexeex.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1372
    • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
      "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
      2⤵
      • Executes dropped EXE
      PID:1336

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
    Filesize

    35KB

    MD5

    eeb7d6f022acad921b9ea0c1e2d88ea1

    SHA1

    eb227dceadba222905b825e9a4407104321a79e6

    SHA256

    c9cb4302e05979b70ac4abd4d8d83144c88d3ce9fd381d5d88b1e2cb1915c3fe

    SHA512

    04ccec970d6c01b9ea079c3c29c9fb424fa29ee7e86deb2fc97c8b557254e8605a512c58138d14b4bdb9ab8f7c724e6b63f868d8ce52779ad99b268b7e90a635

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
    Filesize

    35KB

    MD5

    eeb7d6f022acad921b9ea0c1e2d88ea1

    SHA1

    eb227dceadba222905b825e9a4407104321a79e6

    SHA256

    c9cb4302e05979b70ac4abd4d8d83144c88d3ce9fd381d5d88b1e2cb1915c3fe

    SHA512

    04ccec970d6c01b9ea079c3c29c9fb424fa29ee7e86deb2fc97c8b557254e8605a512c58138d14b4bdb9ab8f7c724e6b63f868d8ce52779ad99b268b7e90a635

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hasfj.exe
    Filesize

    35KB

    MD5

    eeb7d6f022acad921b9ea0c1e2d88ea1

    SHA1

    eb227dceadba222905b825e9a4407104321a79e6

    SHA256

    c9cb4302e05979b70ac4abd4d8d83144c88d3ce9fd381d5d88b1e2cb1915c3fe

    SHA512

    04ccec970d6c01b9ea079c3c29c9fb424fa29ee7e86deb2fc97c8b557254e8605a512c58138d14b4bdb9ab8f7c724e6b63f868d8ce52779ad99b268b7e90a635

    Download Submit

  • memory/1336-149-0x00000000023D0000-0x00000000023D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1372-133-0x00000000021A0000-0x00000000021A6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1372-134-0x0000000003120000-0x0000000003126000-memory.dmp

    Filesize

    24KB

    Download