Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

ae4832af15...0N.exe

windows7-x64

7

ae4832af15...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    111s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/07/2024, 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae4832af15cb2ee454df76e85b78e2f0N.exe

  • Size

    55KB

  • MD5

    ae4832af15cb2ee454df76e85b78e2f0

  • SHA1

    2016c97333517de9691867aee7b451ca8a10a2ea

  • SHA256

    d465c67c0fa0072fa1da23b8c24478dc027f79610d81e0797491aea6581e1b75

  • SHA512

    699c67888947f8038edec0b7dafecfcdec8682217a76298dea6b34afed2a3fd8deef153cc7805fa055e15affad5c277e5af3a3a83e515977744e7002c4af7486

  • SSDEEP

    1536:hvQoLHjw2iWPKMvw71/RLyX3Gvooodwwwt111W:hv5Ls27BIJ/RLyX3qooodwwwt111W

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae4832af15cb2ee454df76e85b78e2f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ae4832af15cb2ee454df76e85b78e2f0N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3192
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\AE4832~1.EXE > nul
      2⤵
        PID:2940
    • C:\Windows\Debug\wmahost.exe
      C:\Windows\Debug\wmahost.exe
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:3740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Debug\wmahost.exe
      Filesize

      55KB

      MD5

      d3f8e11f3286f06d2c45e810d37c8662

      SHA1

      0e2c990e20f6ed62a40ec7ec7c2d5e42b19f8e8d

      SHA256

      2ae8ecc280e72dce159474d8a511e80582eb5b96a697a42431bc1dec4c49861f

      SHA512

      29877f469eda735e2195a16876631bc1d2b8f89a22cfad67c1a7feae865e882ad64242043fcf91e7b2cced0361d14475e6a164db743888c9bca8502dc55d6774

      Download Submit