Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

0e88d215c5...35.exe

windows7-x64

7

0e88d215c5...35.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    102s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 04:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e88d215c560501b6a4ba041c0d54635.exe

  • Size

    118KB

  • MD5

    0e88d215c560501b6a4ba041c0d54635

  • SHA1

    95a45dd007e93df49fbb91222476160f526ee12a

  • SHA256

    5b1a748fd59c47f872ed89cf33d3c55b61939d1686396458b5cec7a97351255f

  • SHA512

    c12471436dd95c894eaf26ce2a943929376c6a5e4ecc75016d3b029bfbc519aec1d1ccf545a205d9a0ea445fa6ccff3ad0b7f0508da557efa182cde6a8d811ea

  • SSDEEP

    3072:7ni7SKGEBa+LTcXuDENCtpFqYaG9w0Hi:Li71GhacXuDyCXFqTG90

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e88d215c560501b6a4ba041c0d54635.exe
    "C:\Users\Admin\AppData\Local\Temp\0e88d215c560501b6a4ba041c0d54635.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Windows\SysWOW64\cmd.exe
      "cmd"
      2⤵
      • NTFS ADS
      PID:3708
    • C:\Users\Admin\AppData\Local\Temp\0e88d215c560501b6a4ba041c0d54635.exe
      0e88d215c560501b6a4ba041c0d54635.exe
      2⤵
        PID:3560
      • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:952
        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3628
    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe
      wmpnetvk.exe
      1⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Users\Admin\AppData\Local\Temp\lsass.exe
        "C:\Users\Admin\AppData\Local\Temp\lsass.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2088
    • C:\Users\Admin\AppData\Local\Temp\lsass.exe
      lsass.exe
      1⤵
      • Executes dropped EXE
      PID:2976

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exe
      Filesize

      9KB

      MD5

      bebc70fd32454c81af2d47e74ec29cc9

      SHA1

      6b039556ac4841c5ce3650016bd7a1adb94df2ee

      SHA256

      bb891551f5fb9e76ca1034f7b03f8f4ee2e45ac0583eefd7b9e5b4e3c2fb48db

      SHA512

      7ca06e907aa64bc672334b54259cd13c85a0cde6263bc445b3a9c7d668ddd8d02ed881c799b140b99456b3be38618064bb33474934c7445b1564294014bf5813

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe
      Filesize

      118KB

      MD5

      0e88d215c560501b6a4ba041c0d54635

      SHA1

      95a45dd007e93df49fbb91222476160f526ee12a

      SHA256

      5b1a748fd59c47f872ed89cf33d3c55b61939d1686396458b5cec7a97351255f

      SHA512

      c12471436dd95c894eaf26ce2a943929376c6a5e4ecc75016d3b029bfbc519aec1d1ccf545a205d9a0ea445fa6ccff3ad0b7f0508da557efa182cde6a8d811ea

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe
      Filesize

      91KB

      MD5

      f14995f1b471f8dd7b44e745296b3c6f

      SHA1

      740b86453544e2efe039069f1925fc0160b16ed0

      SHA256

      36995bbc00ba69ecfaa0b70cfb3f75318d5fa1dd7f4fe8b8b5aa28bf4782a71f

      SHA512

      bc307046c76bb2c419ee9ebb19acfe0280c5ddc91ea0a3c516787b1128829b6dce6df012f792541cf802d30af24c48c03b973ada611e9120e4f36e4df44d64a3

      Download Submit

    • memory/952-44-0x0000000074CD0000-0x0000000075281000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/952-45-0x0000000000F50000-0x0000000000F60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/952-18-0x0000000000F50000-0x0000000000F60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/952-19-0x0000000074CD0000-0x0000000075281000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/952-17-0x0000000074CD0000-0x0000000075281000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1796-25-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1796-29-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2088-39-0x0000000074CD0000-0x0000000075281000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2088-48-0x0000000074CD0000-0x0000000075281000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2088-36-0x0000000074CD0000-0x0000000075281000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2976-41-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3628-24-0x0000000000DD0000-0x0000000000DE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3628-23-0x0000000074CD0000-0x0000000075281000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3628-47-0x0000000000DD0000-0x0000000000DE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3628-46-0x0000000074CD0000-0x0000000075281000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3628-28-0x0000000074CD0000-0x0000000075281000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3800-0-0x0000000074CD0000-0x0000000075281000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3800-42-0x0000000074CD0000-0x0000000075281000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3800-43-0x0000000074CD0000-0x0000000075281000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3800-1-0x0000000074CD0000-0x0000000075281000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3800-2-0x00000000018B0000-0x00000000018C0000-memory.dmp

      Filesize

      64KB

      Download