Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0b1a3f997b...e6.exe

windows7-x64

10

0b1a3f997b...e6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 18:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b1a3f997b9b89dc62968a69a8888fe6.exe

  • Size

    296KB

  • MD5

    0b1a3f997b9b89dc62968a69a8888fe6

  • SHA1

    ddb4c93e847d56feb12ff9b83c53222f0cd0b58b

  • SHA256

    58b055efd58d032d96c3cf06627f0f9bc82ac7e2c32eec6e52256373e502e884

  • SHA512

    6a2d4f004fb01a84fcfd01da7240df812e3fa01b8f932290167b16bf17ca1279ada5b8a7d0d3af7d260c8aa530da5229c5595c41c633a79c4016232bc8ea3fe5

  • SSDEEP

    6144:kkxD1y0FXrKnvmb7/D26OJYPsMiqDJlJNwHG6s20EBb4jHX3QA/hwNGhWhThPvMc:keD1y0F7Knvmb7/D265DJlJNwHG6JTbv

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b1a3f997b9b89dc62968a69a8888fe6.exe
    "C:\Users\Admin\AppData\Local\Temp\0b1a3f997b9b89dc62968a69a8888fe6.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Users\Admin\riomei.exe
      "C:\Users\Admin\riomei.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2172

Network

  • flag-us
    DNS
    ns1.player1532.com
    0b1a3f997b9b89dc62968a69a8888fe6.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.player1532.com
    IN A
    Response
    ns1.player1532.com
    IN A
    107.178.223.183
    ns1.player1532.com
    IN A
    104.155.138.21
  • 107.178.223.183:8000
    ns1.player1532.com
    0b1a3f997b9b89dc62968a69a8888fe6.exe
    466 B
     364 B
     10
    9
  • 8.8.8.8:53
    ns1.player1532.com
    dns
    0b1a3f997b9b89dc62968a69a8888fe6.exe
    64 B
     96 B
     1
    1

    DNS Request

    ns1.player1532.com

    DNS Response

    107.178.223.183
    104.155.138.21

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\riomei.exe
    Filesize

    209KB

    MD5

    34d68e3c05e0d7f715eb89fa541b4e02

    SHA1

    e8bc2646a9b1e4c3535e4cc1ab8990105f83b94b

    SHA256

    7fce89cec9e61cf7125e2fb030ab0427831b046ea5edeb6c9f1420c1a6304696

    SHA512

    95a266b656bc77b83d56b890635b3688b8436458ca6de5f53ed19f10b5a2359b6a27c0bfee17cb542f957ad8efdeae24a6206961ab9f0e952eeacc598fc36f28

    Download Submit

  • C:\Users\Admin\riomei.exe
    Filesize

    190KB

    MD5

    e3ddd3b26cbb60edfc7aec2d178065fa

    SHA1

    60993cfd75710aa012348eb89767df63ea9f6f91

    SHA256

    3dac3516d78e646f6afaa955e3668f5eef801936269440eae1bd43c0fb9a5c23

    SHA512

    56d3d822e47fb4f4f8efddf4fb156f69937f3416fd79559174de77577b781335aac1f2cd251785e8d8fad58f9ab8af3ea93ca6b83f02514cb8d2416a43a479e2

    Download Submit

  • C:\Users\Admin\riomei.exe
    Filesize

    168KB

    MD5

    de9cdf2a3e8e39f3c4d6d5ba1e29abed

    SHA1

    1cc088e34b93704f9e77ead26e40efc33da9b1c9

    SHA256

    ea77bc9a818ba05fc3cd5bc3fc7aa958e955036ec7dcec448d2ea41f679aabe5

    SHA512

    931f8eb517a4f2fb49b5aa65f87d4eda4cec87ce747b1eaabbf53972f4feceef26790acbb0b7fb871558d199363f5233a73ad4f88393054bc14c8766f12f9478

    Download Submit

  • \Users\Admin\riomei.exe
    Filesize

    175KB

    MD5

    c0739bda93a9ca88a75b8f6c22ae95af

    SHA1

    87477524dc0b749ea5648225dc2553eec900ce17

    SHA256

    abb5f08b914e580825e8ccef14102f0591397d48b2a51beb8f319cc2daf55edc

    SHA512

    5f39de5b0365c73ae3a1bd727617147d8eeb7e0bf080b680705d8ce1f4c54227588dba28b47a944db0b69a6419a502a7b0174a086e66176e1a3c858f34a3f5f2

    Download Submit

  • \Users\Admin\riomei.exe
    Filesize

    126KB

    MD5

    505de89c09f9fb79bb88f0db80d49dce

    SHA1

    f607764fa663ee079984a96487f91bee5a94cc68

    SHA256

    09cc30a0f9d299015256fb171113328f5f9172022225b2aa66a67861c2d6b948

    SHA512

    f6a024232ca98d01aa0e4903e5a81043857ff4e7409693326c0c4f0c26d4121b541f67f126c757a55ef5e54ad386ad49889da9a898d8292fb0470f44c02795d6

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.