Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0e0d3ddefd...82.exe

windows7-x64

10

0e0d3ddefd...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    76s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/04/2024, 19:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e0d3ddefdc1988a36be55ae055ed039f40bc98ba24f17a11b47a1a362c5da82.exe

  • Size

    76KB

  • MD5

    1588dc7d8a815648d291e3c6f24a3f2c

  • SHA1

    99cdd498657f40aa531df08c93e5eeb9cc9f2fef

  • SHA256

    0e0d3ddefdc1988a36be55ae055ed039f40bc98ba24f17a11b47a1a362c5da82

  • SHA512

    9aa2f0ba85b5a172cf7d40413a221f1ba7c3bd7b1371f79eafd2ae5d575c9fba0cc31544ac0771cd5149d268f89e89d91a81129c49fd9b343d8ea5acc1200059

  • SSDEEP

    768:xMIrCOtyLoW0+xOF4/i/BEYkp7P6lweQDhDmpU5GFrrEzWsdSE0d8pUHIkI0Inn8:xJWp3xO+2G40OIkan8

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e0d3ddefdc1988a36be55ae055ed039f40bc98ba24f17a11b47a1a362c5da82.exe
    "C:\Users\Admin\AppData\Local\Temp\0e0d3ddefdc1988a36be55ae055ed039f40bc98ba24f17a11b47a1a362c5da82.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4408
    • C:\Users\Admin\ybquw.exe
      "C:\Users\Admin\ybquw.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\ybquw.exe
    Filesize

    76KB

    MD5

    2914466ab5d7c5af40ba66b0e8b1c745

    SHA1

    595600f9e88f06485770415762867015d05c1125

    SHA256

    bfc83267e72d0e29847da74e55a8aeeb37bf4e050fbb41f7d861f50e5925b0f9

    SHA512

    c1b60a6cd6161b305e0c2b69033aec9c7c2d9b7e0649a59dc6b5a1a681f7cbcb49e5824492e2d63bd7ece4771acbea1b633ecbc03010e2cb753b1fefe2b38836

    Download Submit