Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    158s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 02:06

General

  • Target

    3a8c522be19f1ab32d8d4700eccaf86f035097438eb079547f1b16fd054bf957.exe

  • Size

    156KB

  • MD5

    411572a5406e6a14801d4609ca56e639

  • SHA1

    199009590090261812df79bfa1d34d0e397989eb

  • SHA256

    3a8c522be19f1ab32d8d4700eccaf86f035097438eb079547f1b16fd054bf957

  • SHA512

    ec6334d57f744fc9e3dc79a1dd4cf80a67035cf90ba2fb658b74e9793a8a7e7d81686c1ef0321f551bffc30463cd0fad85ad089dbb2ba3194bafa2174beea530

  • SSDEEP

    1536:8ikumxuYvBU8gRDGHPOGMmUbaxGAka+t/K9rCGaV9mw7Jqx8M+dzAbWQgRV7:QxuYZa4UbaxqkCGaVD7JqfKAbno7

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 54 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a8c522be19f1ab32d8d4700eccaf86f035097438eb079547f1b16fd054bf957.exe
    "C:\Users\Admin\AppData\Local\Temp\3a8c522be19f1ab32d8d4700eccaf86f035097438eb079547f1b16fd054bf957.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1020
    • C:\Users\Admin\geuki.exe
      "C:\Users\Admin\geuki.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2016

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\geuki.exe

    Filesize

    156KB

    MD5

    0e7c2102b673e85300195902e86e28b0

    SHA1

    a5a152fc8e78d295c080fb08b0360ed4b169fdc2

    SHA256

    683f16bdd64203f7e2bef9ffcaeda029942bf6a7c7720052f7325bc379dbe15c

    SHA512

    a679a0d17c4e1981ac74f9aa49149002e7d8b3f30aacb8374de74a3cb9187d070fbab350297c38d48e0f542b751db965ac90b9a8d56e63f859274d28417431a6

  • C:\Users\Admin\geuki.exe

    Filesize

    156KB

    MD5

    0e7c2102b673e85300195902e86e28b0

    SHA1

    a5a152fc8e78d295c080fb08b0360ed4b169fdc2

    SHA256

    683f16bdd64203f7e2bef9ffcaeda029942bf6a7c7720052f7325bc379dbe15c

    SHA512

    a679a0d17c4e1981ac74f9aa49149002e7d8b3f30aacb8374de74a3cb9187d070fbab350297c38d48e0f542b751db965ac90b9a8d56e63f859274d28417431a6

  • \Users\Admin\geuki.exe

    Filesize

    156KB

    MD5

    0e7c2102b673e85300195902e86e28b0

    SHA1

    a5a152fc8e78d295c080fb08b0360ed4b169fdc2

    SHA256

    683f16bdd64203f7e2bef9ffcaeda029942bf6a7c7720052f7325bc379dbe15c

    SHA512

    a679a0d17c4e1981ac74f9aa49149002e7d8b3f30aacb8374de74a3cb9187d070fbab350297c38d48e0f542b751db965ac90b9a8d56e63f859274d28417431a6

  • \Users\Admin\geuki.exe

    Filesize

    156KB

    MD5

    0e7c2102b673e85300195902e86e28b0

    SHA1

    a5a152fc8e78d295c080fb08b0360ed4b169fdc2

    SHA256

    683f16bdd64203f7e2bef9ffcaeda029942bf6a7c7720052f7325bc379dbe15c

    SHA512

    a679a0d17c4e1981ac74f9aa49149002e7d8b3f30aacb8374de74a3cb9187d070fbab350297c38d48e0f542b751db965ac90b9a8d56e63f859274d28417431a6

  • memory/1020-56-0x00000000762D1000-0x00000000762D3000-memory.dmp

    Filesize

    8KB