Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

a2ede8f521...0N.exe

windows7-x64

7

a2ede8f521...0N.exe

windows10-2004-x64

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 13:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a2ede8f521521a935a46a861571dcbb0N.exe

  • Size

    448KB

  • MD5

    a2ede8f521521a935a46a861571dcbb0

  • SHA1

    46ee251845d8848d5a77c1d87cca40d98b1c7131

  • SHA256

    9c9cbede957d5bde9eede15bad06463145d71e4720000535159526389496da55

  • SHA512

    9be5c01f968316331df7374d5088c4793136754c1d9127ae0476d984bb7a284566e52f97d1ff8ac4d2c481bacf7729796d838ddf605f440a21aa2cf83c8f8cb3

  • SSDEEP

    6144:EbPahFCuKGPRQXrP18w1YqGGbMQlkEjiPISUOgW9X+hOGzC/NM:EbyhNDRQXj1F1YfQkmZzcukG2/

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2ede8f521521a935a46a861571dcbb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\a2ede8f521521a935a46a861571dcbb0N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\windows\KEQI.exe.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\windows\KEQI.exe
        C:\windows\KEQI.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\KEQI.exe
    Filesize

    448KB

    MD5

    81ae359ea1ae0f3e9831c76968e8b729

    SHA1

    03949b25b93f0552a6553562c7a63e7d26b1f3cb

    SHA256

    6d5282eef5917a098b954970277568050205d3690085ed9d392dc158b66970b7

    SHA512

    0fa2689a1b14d2b0defeb5c91b7a13026413e992f9be320c69cbbecc5b9fbcbdd57e11b3c3f39804c2f6b492083e5e7e5e5461986727d3d3a33e9efb8e5a10e1

    Download Submit

  • C:\Windows\KEQI.exe.bat
    Filesize

    54B

    MD5

    c24ee29716ee71cd4dfd63152aa354e2

    SHA1

    f94b26183e54208e12a6ab97778557edeb6b822f

    SHA256

    ad8283792bd1d6eaa9c8f109a3e82c733a7f0fc7ea0602311d8fa03e3756c4d6

    SHA512

    00d05135d84d79b980074d6b35f3a7a6840f8a57db06ac9ca73d3383e8e8674b6cd27f34d6c20e606d4f395076d2cc42d3398e639d5d53eda0e4b513337d9893

    Download Submit

  • memory/2124-15-0x00000000003D0000-0x0000000000409000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2124-16-0x00000000003D0000-0x0000000000409000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2396-0-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2396-12-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2572-18-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2572-19-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download