Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
85s -
max time network
91s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2023, 08:57
Static task
static1
Behavioral task
behavioral1
Sample
VimeWorld.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
VimeWorld.exe
Resource
win10v2004-20231020-en
General
-
Target
VimeWorld.exe
-
Size
482KB
-
MD5
56c535484e526eeb01052e241a5abd0c
-
SHA1
79d69413698a01738c83e10ea3129e47bb86931c
-
SHA256
3a96a1ec1ba21c56b239fc2dbcd4b054e00dfbe8c04de3e80ff92306a9f3a2bf
-
SHA512
c3b78c8139b3d1a777cdff1fe8b15e7385c8eb2cdcc811ee782755f219207fdb85dedbdf4661819086bf886e77de46d800ddbe4b21d37b04909d3baf06255b99
-
SSDEEP
3072:eouzvch1aTJHBOAZSYGxkczkaodv07nb9yShzcKVlyWYWq:ehch1ysNxkqkaoZenb9yShzxnyh
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3608 icacls.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb javaw.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1692 wrote to memory of 1572 1692 VimeWorld.exe 86 PID 1692 wrote to memory of 1572 1692 VimeWorld.exe 86 PID 1572 wrote to memory of 3608 1572 javaw.exe 87 PID 1572 wrote to memory of 3608 1572 javaw.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\VimeWorld.exe"C:\Users\Admin\AppData\Local\Temp\VimeWorld.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dvw-l4j="true" -jar "C:\Users\Admin\AppData\Local\Temp\VimeWorld.exe"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M3⤵
- Modifies file permissions
PID:3608
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD58fb3bc096f7f0c07769bbf3588516dba
SHA1ed6db1c91190f92691ca188f850d88d995418847
SHA256684628fd1d73d14316a203306f6eb0c4415f7a59eead07f54b9902afba59ffca
SHA512f3c51cf0f93c5ad3888569d9c96d8a43bd9b282fc052c8df37deade92b81f0c50b12339bbd21846484aa119985fcc58d1531e32127f5acac4b0b26a8e12a269a