Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

e18de2b27a...f1.exe

windows7-x64

7

e18de2b27a...f1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2024, 11:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e18de2b27a663f6846214ec173831bf1.exe

  • Size

    48KB

  • MD5

    e18de2b27a663f6846214ec173831bf1

  • SHA1

    c82de45993410c366d42e736ec677b3652531d14

  • SHA256

    c6eb261246006172d4747f446bc0b0bec89e9a0b620599834ab5d4b75b43d0e3

  • SHA512

    b583c766698835ffa34294d13801fb1444095170817a6e03cdabb0b1283d9e913eb982419d6c078da675c98404f8e40f9ccca7b8af7d98ec71c8ed0ba8c1ea4d

  • SSDEEP

    1536:s2fRz+rGYkk7whkhLEKjQ7HKF7f88P/y4:skz+rGYRwmEGQ7HKF7BPq

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e18de2b27a663f6846214ec173831bf1.exe
    "C:\Users\Admin\AppData\Local\Temp\e18de2b27a663f6846214ec173831bf1.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4080
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_check32.bat" "
      2⤵
        PID:3812
    • C:\Windows\SysWOW64\aspimgr.exe
      C:\Windows\SysWOW64\aspimgr.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:2176
    • C:\Windows\system32\WerFault.exe
      "C:\Windows\system32\WerFault.exe" -k -lc NDIS NDIS-20240327-1130.dmp
      1⤵
        PID:3924

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\_check32.bat
        Filesize

        179B

        MD5

        ab3cdfeecda06f992835fb4715f9499c

        SHA1

        b7f9ea4433b1c4185d7c944d0adbf9c1685757ee

        SHA256

        9e0c0e33134ebeebfe0fc2e666ba55e98a661b27d638180bf8a540d0d9f6c974

        SHA512

        1c7b9db38664994c0ec43a74de317275dc6416d189c0620ad7f88b2f046c778f1be4982d787ea1754a7ce8ebd6b32bbb200558ae15794e6a9fdb945da193381b

        Download Submit

      • C:\Windows\SysWOW64\aspimgr.exe
        Filesize

        76KB

        MD5

        0e90434bff4d9b9a7af1823b4e15ef95

        SHA1

        1cef350445f2ad32e66cf140c61ea23905f217e0

        SHA256

        1b7067c559f7c56387c85efb5607dce2d582b3d61ab1e14076b39572d11d8db8

        SHA512

        2851649ece9b3b3e25679653cf151ea4fcd0b4c7b7c07e1c9da3b19fb31db002f09598ea63f9cea3de516ccad96987dd548242a5386e46d68f5ee7a47cb93dfa

        Download Submit

      • C:\Windows\db32.txt
        Filesize

        100B

        MD5

        0ec43532ebb4cb128756cae16a6c8a1f

        SHA1

        c1003014cd2c0682e59f00fbb195e4926774c45a

        SHA256

        c7ef2d1f7b0b6339ed60881718c5f76cf1b44292ad6b6c7b7fe5cfb4658e7562

        SHA512

        c7d95cd687ad9a3a21057348a5da7f140cae9b29de90a494a6062297a6c7d9a82c6d6c2293e764552e004465cb4d80a4d8cd07915771efd3cf71de00e6aa9086

        Download Submit

      • C:\Windows\s32.txt
        Filesize

        57B

        MD5

        6d5a6ae5a286557b4bd2dde7d664a33f

        SHA1

        0c0337f8a9b19d0f749547578b4907506c0fcf9f

        SHA256

        bd16bd826602c6547a8a95239225ae225df7b3046bd08b8d96c414003cbf12e7

        SHA512

        b4d3172657627ec8467d535c4140b02d643009472caa6dc5ea5f898bcc9bab922144bc4a352a22c56e0800087a82ea366ae92134725ed68b20ed7ebaaa2f5e34

        Download Submit

      • C:\Windows\ws386.ini
        Filesize

        12B

        MD5

        5aad4b42fcb56f2fd21c9f1bc08e997f

        SHA1

        da02214c9d0f66f834649e26fd530c4fc06a0f11

        SHA256

        8123a4f78c7f4d85cc5013d1a962c6ca6601414295c00e5bb7ac24361c40880c

        SHA512

        65728ff669f0ab61004aa5f7bcc8c98970afe7b5fa7b77605348d8218f5399e6ae1cda866d47aa21a54af45ebf4a46ff5fb99d85bc70b290f5d4c0ecf6b6e6ed

        Download Submit

      • memory/4080-0-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4080-13-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download