Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
160s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 03:56
Static task
static1
Behavioral task
behavioral1
Sample
e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe
Resource
win10v2004-20240226-en
General
-
Target
e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe
-
Size
253KB
-
MD5
e9e341b607fa2bd09f3f4cf244e244a7
-
SHA1
c84d8bb906ed35c068e4692cdb65f1ee31bcb06d
-
SHA256
e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e
-
SHA512
77a47b314dd197c4ed6628e4c9229c0700f90adcae86a2095c1be5fd078beaa1d5ad8f045807be704ee536b1fd7ba29236c18d22c280fd5142eb568fd88a6931
-
SSDEEP
3072:H4F9A0dgTGu8PepQEwwKDJz39z2uurBIDjAHLx4G8EFNmsIkR8zBy5isktTA1VTe:E5dgTt8mpH0D4KuQMe
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation pkMwQEgo.exe -
Executes dropped EXE 3 IoCs
pid Process 4712 MeEcwsoc.exe 3788 pkMwQEgo.exe 1360 chocolatey.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MeEcwsoc.exe = "C:\\Users\\Admin\\YIMEIwAw\\MeEcwsoc.exe" e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pkMwQEgo.exe = "C:\\ProgramData\\OyoMwIMA\\pkMwQEgo.exe" e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MeEcwsoc.exe = "C:\\Users\\Admin\\YIMEIwAw\\MeEcwsoc.exe" MeEcwsoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pkMwQEgo.exe = "C:\\ProgramData\\OyoMwIMA\\pkMwQEgo.exe" pkMwQEgo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 3 IoCs
pid Process 112 reg.exe 1128 reg.exe 2952 reg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3788 pkMwQEgo.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe 3788 pkMwQEgo.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1132 wrote to memory of 4712 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 91 PID 1132 wrote to memory of 4712 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 91 PID 1132 wrote to memory of 4712 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 91 PID 1132 wrote to memory of 3788 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 92 PID 1132 wrote to memory of 3788 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 92 PID 1132 wrote to memory of 3788 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 92 PID 1132 wrote to memory of 1972 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 93 PID 1132 wrote to memory of 1972 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 93 PID 1132 wrote to memory of 1972 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 93 PID 1132 wrote to memory of 112 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 94 PID 1132 wrote to memory of 112 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 94 PID 1132 wrote to memory of 112 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 94 PID 1132 wrote to memory of 2952 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 95 PID 1132 wrote to memory of 2952 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 95 PID 1132 wrote to memory of 2952 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 95 PID 1132 wrote to memory of 1128 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 96 PID 1132 wrote to memory of 1128 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 96 PID 1132 wrote to memory of 1128 1132 e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe 96 PID 1972 wrote to memory of 1360 1972 cmd.exe 101 PID 1972 wrote to memory of 1360 1972 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe"C:\Users\Admin\AppData\Local\Temp\e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Users\Admin\YIMEIwAw\MeEcwsoc.exe"C:\Users\Admin\YIMEIwAw\MeEcwsoc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4712
-
-
C:\ProgramData\OyoMwIMA\pkMwQEgo.exe"C:\ProgramData\OyoMwIMA\pkMwQEgo.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3788
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\chocolatey.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\chocolatey.exeC:\Users\Admin\AppData\Local\Temp\chocolatey.exe3⤵
- Executes dropped EXE
PID:1360
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:112
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:2952
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
- Modifies registry key
PID:1128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:1536
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
566KB
MD5dfe726748c3f15df520bb75f921b3785
SHA180795c475110647e1893886ec55e97b80c46a7a5
SHA2560a7a53222b04310619e5cea08430e97159ba62e4c1398770d16a53e6d8cdc686
SHA512225ce26445976c2aec2a974fb21af53490bc6e049f14ddf7f7511d96f55ed74fa333820dfed6313d26e96116ba940e3be30bfbbab41b43745270fd3caf4f7caf
-
Filesize
110KB
MD51cfb444cdbc06e1d1055c285ad712e64
SHA1b3781272483ead17da41bca27b582e89cd49c24a
SHA25641040a2c4ad0990f758a2086b70f637027f7eefe7da2574dce636eb2a14ff32f
SHA512292dd0de15b4f9211afe6bbcc743b0c72a195cc9d6b35361f2cfd698c738cb9ce01d55ca6f01ee5213f092d19a5cb121f878f05d09b6cda55bc74f37f7e804b6
-
Filesize
140KB
MD5d6bc92571edfc2863fff72b240e571a1
SHA1b4227284cde5d9c00c42a043c1c16766b4c6460c
SHA256422cfcc02baaff218e47cc6463efc5eaafb33ad4d0a920db3432de1f8963c4f8
SHA51231cdfef64c809d1c1da3fc5dca2aec2fb03b911f3d2e3d010328606479d414363795d6386cc9426f3d494aeb14fb2b75889cdbbddbbeb8f0d8b09020e8404d1d
-
Filesize
5.2MB
MD594cfc8986f725de3612596b1261a12d4
SHA19f3bf0c9f7e0cc4abfe0af79ce422cbdaf7d5415
SHA256eb80144be36282f14d8ec9d6a7f1ffb964c13a7a9d75c379914fc31111c250d2
SHA5120f35f23518e333018ba2238a424c152d32c60f239388d293875a2e2f359f5cad0b76f9eb743aadd3c91a9a7e4a26a4cf14a044e66ce3960f32b1189166a7e1e6
-
Filesize
108KB
MD59aa050cda847c8e9c62be62d07f0c6c2
SHA1a9796bcbcc48b307f2b3eff7824add0f249fed05
SHA25638ff6ed40d19bf26476d5efa4027e5b35d6652ef9ce03f653cfc1d0dbc383ba3
SHA512fe77b79355840e7e488a8549e27b62c2fd9a235b642f14ce4cdec90cdaa84433c1fc551519ecbcd5004407854979384222ee2bfb50d132dfbd78a529fbeef773