Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2024, 04:12

General

  • Target

    8e2fc6bb9e9631472097273285509d67.exe

  • Size

    100KB

  • MD5

    8e2fc6bb9e9631472097273285509d67

  • SHA1

    7076272a46fa81449413301a181f5b9cea15fd89

  • SHA256

    c7108e4a208d377bfdc6b7f72972a72fb12ec9d23cfd9d64f9def1c0ef6d40fa

  • SHA512

    cd9df864d3fc3e92b679c5b14ae58cb6b433c3db726fa8cc4975d6c501a8ba98af5bb4429e2a3832588fd54c897ddf28a35779452f353e075cc6c06fa5525732

  • SSDEEP

    1536:iStGA82NTzwylJMGAc4ohrPXo+73Rez8b0SyKNIjnZrJ:ZwTurPX7CKCnlJ

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e2fc6bb9e9631472097273285509d67.exe
    "C:\Users\Admin\AppData\Local\Temp\8e2fc6bb9e9631472097273285509d67.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Users\Admin\leooho.exe
      "C:\Users\Admin\leooho.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\leooho.exe

    Filesize

    100KB

    MD5

    1d702b03e719eb7e06b2e0bf33b3b0d3

    SHA1

    a35e2384832545a1d73926b53bee92ed7514a018

    SHA256

    bd1768ef734da9684b48229302de62146812277c3d5f5e010355852f3dbaf54d

    SHA512

    a3a8bf9fa3ab13dd84704f23d3fad8708da3869eeed2373be3a685bb1cd76a27092328fe5387bd10d192f4f520e37c462ab575853c2709e05b2ac96db48161c7