Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2570e921ed...47.exe

windows7-x64

10

2570e921ed...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 14:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2570e921ed79b43c5f6b5973ccd3af47.exe

  • Size

    256KB

  • MD5

    2570e921ed79b43c5f6b5973ccd3af47

  • SHA1

    8b55cda00a986c6d78a9359221a2bea973cab788

  • SHA256

    c6dc339447800099a816eb502a55a3706596f8d2ddffa0161f57b48ff4f68e72

  • SHA512

    4677e7d148dbcf91ded92e0f9ebed1add3d47a0c37e5d06fa00919b8cd3d7b2d93119bd6b7d70e9059e6b5c9e97f7718e5fbd29a144e14b98d734d4bc7189f30

  • SSDEEP

    1536:j+ogF/gFu0e9ebe9eNevdmoMel6efh4JPEhXnoQw6AcbaCEk:KogF/gFuP6efh4JPEhXnoQw6AcbaCb

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 49 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2570e921ed79b43c5f6b5973ccd3af47.exe
    "C:\Users\Admin\AppData\Local\Temp\2570e921ed79b43c5f6b5973ccd3af47.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:888
    • C:\Users\Admin\kauemad.exe
      "C:\Users\Admin\kauemad.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\kauemad.exe
    Filesize

    149KB

    MD5

    7d3ce34330158f5fb580db38ad5505fc

    SHA1

    5d15cd99a925852c90f2cf495bf7b919e15a96fa

    SHA256

    db309d450c0b321c91645be32f6044282142c2df8e345ed9421cacc653810fcf

    SHA512

    aa8f926dfdf0385f3658046455da8192ea3117594189bcbc4238a4eef99513c25e3fc79c6e063661de5ece5db2ce8217dcd801bf7fd52fb8db3c9f093841c301

    Download Submit

  • C:\Users\Admin\kauemad.exe
    Filesize

    215KB

    MD5

    d02ded691321dd60e828371954f73661

    SHA1

    8aafe786293b4938d0122441e8dbbb02e2744b7a

    SHA256

    06532771811d4558677eefe4e848d9c94b8cf108796b738387e9e5059f0b89d9

    SHA512

    b6727c875773691542b4ed7dd5d8d81c924727f8f37ba324f8210993e3c73cf7dd1c765fb2c6f26758351bd1f2c603595d643f79a4876304c79dd69f52f613e8

    Download Submit

  • C:\Users\Admin\kauemad.exe
    Filesize

    190KB

    MD5

    c7f2a270750de405140ea64673d8239a

    SHA1

    aa75a98ecc877c46b7c3e3151eea2fb533af4785

    SHA256

    da8051c7fadfe743fd40feccb887d6790b9467d421d9e3318be8c9ce20fef3fd

    SHA512

    d4e7542f6f863d0e97559330e544780a1043adabd5d1d4c8d167706c76b25beafa4c1098e21c1af3a3df13b63f40b77185755fe4f0e821adb14ad45470a0557d

    Download Submit