Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2024, 04:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8e2fc6bb9e9631472097273285509d67.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
8e2fc6bb9e9631472097273285509d67.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
8e2fc6bb9e9631472097273285509d67.exe
-
Size
100KB
-
MD5
8e2fc6bb9e9631472097273285509d67
-
SHA1
7076272a46fa81449413301a181f5b9cea15fd89
-
SHA256
c7108e4a208d377bfdc6b7f72972a72fb12ec9d23cfd9d64f9def1c0ef6d40fa
-
SHA512
cd9df864d3fc3e92b679c5b14ae58cb6b433c3db726fa8cc4975d6c501a8ba98af5bb4429e2a3832588fd54c897ddf28a35779452f353e075cc6c06fa5525732
-
SSDEEP
1536:iStGA82NTzwylJMGAc4ohrPXo+73Rez8b0SyKNIjnZrJ:ZwTurPX7CKCnlJ
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 8e2fc6bb9e9631472097273285509d67.exe Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" leooho.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 8e2fc6bb9e9631472097273285509d67.exe -
Executes dropped EXE 1 IoCs
pid Process 900 leooho.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /N" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /k" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /J" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /S" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /W" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /U" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /f" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /g" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /P" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /y" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /L" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /b" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /s" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /h" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /M" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /K" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /G" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /F" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /w" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /t" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /H" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /V" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /E" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /R" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /I" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /Y" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /j" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /O" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /A" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /e" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /Z" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /a" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /D" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /r" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /m" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /q" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /l" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /z" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /T" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /n" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /b" 8e2fc6bb9e9631472097273285509d67.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /C" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /Q" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /B" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /u" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /o" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /d" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /v" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /c" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /p" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /X" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /x" leooho.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leooho = "C:\\Users\\Admin\\leooho.exe /i" leooho.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2044 8e2fc6bb9e9631472097273285509d67.exe 2044 8e2fc6bb9e9631472097273285509d67.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe 900 leooho.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2044 8e2fc6bb9e9631472097273285509d67.exe 900 leooho.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2044 wrote to memory of 900 2044 8e2fc6bb9e9631472097273285509d67.exe 86 PID 2044 wrote to memory of 900 2044 8e2fc6bb9e9631472097273285509d67.exe 86 PID 2044 wrote to memory of 900 2044 8e2fc6bb9e9631472097273285509d67.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e2fc6bb9e9631472097273285509d67.exe"C:\Users\Admin\AppData\Local\Temp\8e2fc6bb9e9631472097273285509d67.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\leooho.exe"C:\Users\Admin\leooho.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD51d702b03e719eb7e06b2e0bf33b3b0d3
SHA1a35e2384832545a1d73926b53bee92ed7514a018
SHA256bd1768ef734da9684b48229302de62146812277c3d5f5e010355852f3dbaf54d
SHA512a3a8bf9fa3ab13dd84704f23d3fad8708da3869eeed2373be3a685bb1cd76a27092328fe5387bd10d192f4f520e37c462ab575853c2709e05b2ac96db48161c7