Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

e15cfa0ebe...ed.exe

windows7-x64

8

e15cfa0ebe...ed.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2024, 09:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e15cfa0ebee2434ea5754b8792e99fed.exe

  • Size

    457KB

  • MD5

    e15cfa0ebee2434ea5754b8792e99fed

  • SHA1

    5c266f0cc99ced529a6f45a75cf4028d3b129ef1

  • SHA256

    44a3de7a127eb36b40a74a0060878511552e2c1cf1895fa1c3c94e2b97700e2f

  • SHA512

    2274f30ea04d57a8c119ffa8cc6550bad318936b4ee3c079cd08f48d321b55460810115f77304705fdf38334a1f9f3e80197ade106b9b3fbe70bcb65ce774144

  • SSDEEP

    12288:8ruv4bsMW39A6Mir4Zhp9TOZ7OoKkBfTqXheBZdo3Q:v4v6A7ZhIV2XheHO

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3504
      • C:\Users\Admin\AppData\Local\Temp\e15cfa0ebee2434ea5754b8792e99fed.exe
        "C:\Users\Admin\AppData\Local\Temp\e15cfa0ebee2434ea5754b8792e99fed.exe"
        2⤵
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3492
        • C:\Users\Admin\AppData\Local\Temp\fPQSIKlJJK.exe
          "C:\Users\Admin\AppData\Local\Temp\fPQSIKlJJK.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1508

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\JSJEFAOQke.dll
      Filesize

      409KB

      MD5

      df277c7402149235d44dc9c7c8bb0275

      SHA1

      6dc8bd3deac80bee4af156c55fdffd125a684de6

      SHA256

      f230263b33195c7c9809ed01146eb930b84be41f2048be05da43945a0b5c829f

      SHA512

      b49c7b67f39f0f905c4cdf061faae22d77347b827ff999d2784621d95faae3c8bac206a7c44145653f137da9de771ddc83b5660abaa01300c7690e0dc3ab85b5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\fPQSIKlJJK.exe
      Filesize

      457KB

      MD5

      e15cfa0ebee2434ea5754b8792e99fed

      SHA1

      5c266f0cc99ced529a6f45a75cf4028d3b129ef1

      SHA256

      44a3de7a127eb36b40a74a0060878511552e2c1cf1895fa1c3c94e2b97700e2f

      SHA512

      2274f30ea04d57a8c119ffa8cc6550bad318936b4ee3c079cd08f48d321b55460810115f77304705fdf38334a1f9f3e80197ade106b9b3fbe70bcb65ce774144

      Download Submit

    • memory/1508-13-0x0000000000400000-0x0000000000558000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1508-20-0x0000000000400000-0x0000000000558000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3492-0-0x0000000000A10000-0x0000000000A80000-memory.dmp

      Filesize

      448KB

      Download

    • memory/3492-1-0x0000000000400000-0x0000000000558000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3492-19-0x0000000000400000-0x0000000000558000-memory.dmp

      Filesize

      1.3MB

      Download