Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0e0dc5f549...9f.exe

windows7-x64

10

0e0dc5f549...9f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2023, 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e0dc5f549ae8c546b427bb568b5439f.exe

  • Size

    368KB

  • MD5

    0e0dc5f549ae8c546b427bb568b5439f

  • SHA1

    c57197b3b22a61c3d461a31b53e94cdc5f515d46

  • SHA256

    73f870cbbca75533109b51c060272741a49bfbea35fef35c55352c855637967d

  • SHA512

    e1add08dc90241d50fcf7c2fce65f3005ca4cf64acabd1cbcb88afa73296168af49e9145308513dd385cfbc559b730c59cc262260e2ade79672bd7f9f63a9d5c

  • SSDEEP

    1536:hRPwMPGmHmkiw+667MIBf28zPJtC6IoD/QWgxektFAo11S:DPwMPzHmLf2RxIf

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e0dc5f549ae8c546b427bb568b5439f.exe
    "C:\Users\Admin\AppData\Local\Temp\0e0dc5f549ae8c546b427bb568b5439f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3104
    • C:\Users\Admin\vaime.exe
      "C:\Users\Admin\vaime.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\vaime.exe
    Filesize

    188KB

    MD5

    51ed7932f432fb3bc4b0e84a3f946493

    SHA1

    e296ebb4e457243b3c669ac3356a0a7cdfef7243

    SHA256

    c181698ad7089ef72eb5cb02308e410b2ee8a3d4d297bbcf32cd78dc30755dda

    SHA512

    54f06eee67ae759430748b2a8ccc1f3463dfd07162dc4eaa15559ed07acba36536f77ee82295d0db6635c633b701b41f916c21d70421594d492856f07abe0c04

    Download Submit

  • C:\Users\Admin\vaime.exe
    Filesize

    368KB

    MD5

    33f471e8d673c194d67499766a0e7da8

    SHA1

    e5542f0060e71506df9795f62a016485d79d39c2

    SHA256

    df122c3b95146a34751ed4b60963ae3b4d4a5b9f65a8e897867b1f9aedb246d7

    SHA512

    63b084834a6da1f93d27fa3693aaa2bf533ebf3ffc6b984c678406143d27f86f8c07596c6b3677ede804860fcd12ea2c1c0ed13773cbba34202206c475657924

    Download Submit

  • C:\Users\Admin\vaime.exe
    Filesize

    16KB

    MD5

    12c8cd364114e55d764261d1207da375

    SHA1

    b8d81fce7f64cc41d2103f62a0dd2bd926ce56e5

    SHA256

    d63950f75d3c0494d37ae0b23b6fab0e771a934d2fb7ece039e42be24474ed59

    SHA512

    e104e9628c1cbb2c47a4796c37fd21a854bd692a725682c7e33264d6bd20c5553e47ad24a3814ffa1ea702c1d72a05089c273f6f4d2a286d3fa6703c27753a36

    Download Submit