Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 05:49

General

  • Target

    0946cc7f6064d14c01e53002e1ac80a6.exe

  • Size

    124KB

  • MD5

    0946cc7f6064d14c01e53002e1ac80a6

  • SHA1

    a47aacee717bc1f22c1d7b24fe09866a7d5242fe

  • SHA256

    3f6a7cbf6437d41f9c00442c9cd7dd8d40c39054b11521b4bee0006d63ad4c92

  • SHA512

    5a5b1735322541bcac464cadf83615d4934ec15924e24bd262e248b889470c2e71d0c5bd573a204d5cd0391d5b9885997f46327f39ac49cae7431daaa86cb018

  • SSDEEP

    1536:hUE6hwRzuBxeDtMYHa27J14ltxporZ45izNeG0h/x:yE6hwRzkeV6gJ1uCt45Jp

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0946cc7f6064d14c01e53002e1ac80a6.exe
    "C:\Users\Admin\AppData\Local\Temp\0946cc7f6064d14c01e53002e1ac80a6.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\jaiuho.exe
      "C:\Users\Admin\jaiuho.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\jaiuho.exe

    Filesize

    92KB

    MD5

    672a68475551486508b700d4ac8f28c7

    SHA1

    206219141179c2099666fac7ff3d672414a1b30d

    SHA256

    ff7e48d56663f3016e8288a021b01d8ef710dec368bcbd033c28917c3561a6fd

    SHA512

    1a586abd15f64a6471386dfe7a837bbfeb298d7f9436dbc368261d8a7b06e86227d4b4c45c306ba1a3f1e0df65c9197bc647d705cecc9f5f70871541d4e13b27