Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 04:05

General

  • Target

    0dd7be06304eeef29f283a6831f266eb.exe

  • Size

    521KB

  • MD5

    0dd7be06304eeef29f283a6831f266eb

  • SHA1

    63d30c952f5d67fa471755b1730ecd65f85f752e

  • SHA256

    84d5a89098e572c70875eb34b8b1e1afec6d62a9479087a324aa9935d67792d1

  • SHA512

    3c046d38473d6e8d7ee5434a5b11c4cbca5764de004574fb4737c5a4a51e48ac5e02065ecb8b734fbdf3679d7af0952ecad7324dea909f251e0c3cdc4cfafcb0

  • SSDEEP

    12288:b79WjXvHsLll59YOBrzkr51us7TPyF9j8bx7B:b79nB9vR+r7jiFU7B

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0dd7be06304eeef29f283a6831f266eb.exe
    "C:\Users\Admin\AppData\Local\Temp\0dd7be06304eeef29f283a6831f266eb.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4152
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\abc.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\SysWOW64\InstallIme.exe
        InstallIme.exe WinABC.ime ╓╟─▄ABC
        3⤵
        • Executes dropped EXE
        PID:4928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\InstallIme.exe

    Filesize

    13KB

    MD5

    dbc380afd5b811dd18159109ff8011a0

    SHA1

    5659063c172c1ac024533bbc395d757343c7a9e8

    SHA256

    0382ce9fd4f9ef7c7f7070f2ffb1c2f004611f6d4af23e3cdfef2fd2d2b47c2b

    SHA512

    103c369295fb0fda548041ed4028447f65f266d671b94ec888abe610a6e9b15f713f85fb90240156abe7bb0309d578d0db23df38ae28f5a17275e0ea6f5be6ce

  • C:\Windows\SysWOW64\WinABC.ime

    Filesize

    93KB

    MD5

    8404f623db60aa8ca30a477dfef0b76b

    SHA1

    f94bc0b0009198db78b7d8c9931408a16a0a62eb

    SHA256

    8bb76acc10c62272820ed7ee48112402889fc605adede7b9457178d4452ffccb

    SHA512

    58a71c4bf8a42902e5737d38fd99839bcc53606732518f94cb6b536e7dcd840399a444d771da60aa32fc07a110781cecb6cfb850ed89b17e2f3defb71b071a1b

  • C:\Windows\SysWOW64\abc.bat

    Filesize

    33B

    MD5

    b76965645c5148231a785f48a5077c9b

    SHA1

    03363d157657324aed0a873b1ae76960af648c00

    SHA256

    20c15159c70c3807597ac0f9f08937f0402f51eda155f90db462af9e7b40f9d2

    SHA512

    2ec05d1efc0c582a14657bafe1bc04474831beebfbafba39eecc58a409fccf13835662778abd55a513dcd5b18022ea8bc4d5d8fd24982d060242d7a8f80450d5