Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

09b5855b4a...6e.exe

windows7-x64

7

09b5855b4a...6e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    137s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/12/2023, 10:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09b5855b4aa4879a05d027bb7cfba46e.exe

  • Size

    14KB

  • MD5

    09b5855b4aa4879a05d027bb7cfba46e

  • SHA1

    3f873d16dcebaab8b9f183dfe06d0b1a9214c0c7

  • SHA256

    5fd261ece267cc0a49414067714d01a72e151c7275396eb7c1eb2913c63eecba

  • SHA512

    9298af07c5cd2e073e3eb98050a2b668e740348d3514c23e80e9bcd2f2572d477fe3ec6400d784291b171c47e866728ea58bc09eea764ee1f561441c8c01de24

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cnz:hDXWipuE+K3/SSHgx/z

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09b5855b4aa4879a05d027bb7cfba46e.exe
    "C:\Users\Admin\AppData\Local\Temp\09b5855b4aa4879a05d027bb7cfba46e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Users\Admin\AppData\Local\Temp\DEM4CB8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4CB8.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3580
      • C:\Users\Admin\AppData\Local\Temp\DEMA306.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMA306.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2732
        • C:\Users\Admin\AppData\Local\Temp\DEMF954.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMF954.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1888
          • C:\Users\Admin\AppData\Local\Temp\DEM4FA2.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM4FA2.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Users\Admin\AppData\Local\Temp\DEMA5EF.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMA5EF.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2192
              • C:\Users\Admin\AppData\Local\Temp\DEMFBDF.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMFBDF.exe"
                7⤵
                • Executes dropped EXE
                PID:1088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM4CB8.exe
    Filesize

    14KB

    MD5

    a52b583e490373216b6a2b117283cac3

    SHA1

    58953d48b6aa51c57ecbfa1ce919459bc60a30bd

    SHA256

    e91a379d4b3d5375f3c28b6ba5e2aecb10fc708aecd8855bf57176a8de819e76

    SHA512

    fe23c91dfd7cb276bd9318438c760056d76add032d7bc162a9a5554d7f88d2f655bac6886bc152c6a2a7c41666bfe83ac92b565206ca277ee00289dbc208d97c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM4FA2.exe
    Filesize

    14KB

    MD5

    f00ea52ea7c13783cbce6a80a74eb056

    SHA1

    90b16dd90dfc1b616baf6e80a37f119e8507655e

    SHA256

    6ebc661489e3749d5dc821ab80ff363bcadb6ee4aa1a11b800c6efe1e11d89fa

    SHA512

    31fbf0568c2cc9cff05e97097cfc7b5aad20b4364c7102a14b11c5899d934b5c5831786703a596190f443ef9677f1167d85bf0fd8fd7cf8eb25cfa48efd30e1d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMA306.exe
    Filesize

    14KB

    MD5

    394d76fd828fe1800342265b9bb7f8c5

    SHA1

    16b54087aaa793039362d55cc6b9e0355e531705

    SHA256

    c15f076ff8e63c3653efe73fdc5c182ba6fcc36dd132f4bddec2a291c37af9b1

    SHA512

    031603e1c5e5fb27b9bb1350031491ba0437d21743500d342120aee9b323183bbd7eb961acca03f2632aff3f42a5e26196748c9cc1b39015041d581bb94ec76b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMA5EF.exe
    Filesize

    14KB

    MD5

    c4082aac47ddfbbc21f16ac590117228

    SHA1

    8c5061bbe06974edc36d6688e0cb56d313e9baf0

    SHA256

    93b5432e14179c512399c175e5d11b04fba26b186318450ef80a06f0dcba1978

    SHA512

    9120b891adcfd4d1d05701a20e4ecba32cac3ffc17912758eb70a7a2d8b41729931413af41c533e6ff4c72331b11b0fd8a6a27a4b0219844f6c22a308fc4e5f8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMF954.exe
    Filesize

    14KB

    MD5

    45da01db1810d135807717648d52a3ae

    SHA1

    7cf8f384b0d07f8f93f1d62080457a56c49f5b26

    SHA256

    019469ec013a43133b57e51b99d9666e69f23e0e45af8f4d933afed83c84dd27

    SHA512

    d79d874a1d649ac32ab5f7420ae9817da6ed52ec17ae18a7c34a7ce4824a07728b97cc291443a610e57f6a1e3622177a23f7f4df228e0731c2463ba22bd0a34b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMFBDF.exe
    Filesize

    14KB

    MD5

    0328306b8f47291e20958e8ea5674f25

    SHA1

    8e1df2132a01bb0adb301cd19db78ebf1302dd0c

    SHA256

    3129efbdfc41d27b8d0d76bbe68b337b8ad8b2f7433620e2ff32e0b2f148bca8

    SHA512

    d377495e89545005a52146bf0bb6b479984a79639fe9ce0cfbf6da37417047a303e92135d7516a721951e6c2d3b7bd3429b386c5069403754af8f86cefe642df

    Download Submit