Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

89c0efa7f3...ce.exe

windows7-x64

7

89c0efa7f3...ce.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    125s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/09/2024, 05:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89c0efa7f36fafadb1f96dbbb414632521f4e3270f889d780928b36f3d8d52ce.exe

  • Size

    483KB

  • MD5

    c80e7a64589dc19b6cbe79d371df5247

  • SHA1

    41e8427fe153726b7c74f93a7e5aa0f4268ef25d

  • SHA256

    89c0efa7f36fafadb1f96dbbb414632521f4e3270f889d780928b36f3d8d52ce

  • SHA512

    5575ce6ecce06dff1da09ce8dc7b39e4e945582992e441bad9fbab66bbd0114065af0c7a930e17ef0ad7125c0b6112aaaa4d10c763153bff7078dd3a2fd20cc6

  • SSDEEP

    6144:ZTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZmAX4cr3T4:ZTlrYw1RUh3NFn+N5WfIQIjbs/ZmcT4

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89c0efa7f36fafadb1f96dbbb414632521f4e3270f889d780928b36f3d8d52ce.exe
    "C:\Users\Admin\AppData\Local\Temp\89c0efa7f36fafadb1f96dbbb414632521f4e3270f889d780928b36f3d8d52ce.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hmxcoarfffxemdvdonqox.vbs"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    03ac9b2068b3850b8f43e357b9f7ca61

    SHA1

    ee0e1c66d2b7dcb2f501cb4a577b59236d854af2

    SHA256

    26a9c6cf7def9deb1f28e85249f43ab0353eca910a51ebc3add863f8d0803861

    SHA512

    e947cfe42f5f94cb97774883a1f6834db1da0210e5a345ff511cd59fa5b9f7ff0e6b8946cd12c9b75c2c5214ba7cd1c9aa70fb91d15329cb541c85ca89b30f9c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hmxcoarfffxemdvdonqox.vbs
    Filesize

    728B

    MD5

    1e7384c699d4922714e71c2f4b175626

    SHA1

    3dedf3a1f2f8754682038297dd3e61ec6757d1a0

    SHA256

    5f1c0f796c8528b8ba90919763efaed8cb7e19692ea5def61d450582ceb32250

    SHA512

    1bd16e784694309926108f2c875e1467f847f890b556a4ad7cb07c7f1871b3c02abb2b2f60e263ca6b4e60c46ff31d259937a47df48e4a7f7d679cba68edaf89

    Download Submit