Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    160s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 06:29

General

  • Target

    bbfddf30612f21c51d4df26fc3e9a8cf098a2bcf7223c0841470999fa742ee1b.exe

  • Size

    136KB

  • MD5

    5eaee881ef24cc4c7560fa8a20bf74ff

  • SHA1

    3efc287e47d60ed1fc3285dcfd44e859cee7363c

  • SHA256

    bbfddf30612f21c51d4df26fc3e9a8cf098a2bcf7223c0841470999fa742ee1b

  • SHA512

    b2afd207e60eb7ea4429b32bf4d3c83acdb2cb7e17fa3ae02f4f09b5d8e852553a3736efbd09b0231288ddd63709b0153160bdda1e243266a470490fd6d435cf

  • SSDEEP

    3072:BmFgwjBfQn7WbIqH0ybZBiOllyEmcP82+aVdOt66VGegmaT:BmxQn7WbIqH0ybZBiOllyE5D+aVkjseN

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 50 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbfddf30612f21c51d4df26fc3e9a8cf098a2bcf7223c0841470999fa742ee1b.exe
    "C:\Users\Admin\AppData\Local\Temp\bbfddf30612f21c51d4df26fc3e9a8cf098a2bcf7223c0841470999fa742ee1b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Users\Admin\ceolear.exe
      "C:\Users\Admin\ceolear.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1876

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\ceolear.exe

    Filesize

    136KB

    MD5

    eaf88a05b1f8b1a6f128c307aac69451

    SHA1

    251c76f2a75790509652c29d9c556996f04d082f

    SHA256

    87f4fe8f23bcaba892c1bfcef2c73b911d0d96e65a5a46b69fea8012b44ccb7d

    SHA512

    a9bf259283d99fc45501b59fa0afe8afd02a7fbf83f6e70525d1f37627746f345cd827e76974ac19e3a961b613299453a3eec11f41130252092e9370c070812b

  • C:\Users\Admin\ceolear.exe

    Filesize

    136KB

    MD5

    eaf88a05b1f8b1a6f128c307aac69451

    SHA1

    251c76f2a75790509652c29d9c556996f04d082f

    SHA256

    87f4fe8f23bcaba892c1bfcef2c73b911d0d96e65a5a46b69fea8012b44ccb7d

    SHA512

    a9bf259283d99fc45501b59fa0afe8afd02a7fbf83f6e70525d1f37627746f345cd827e76974ac19e3a961b613299453a3eec11f41130252092e9370c070812b