Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 01:50

General

  • Target

    399ae129b70e02db67d2ea0f23d841e3446ad5b6796fae78fc30afba5c3fa9b0.exe

  • Size

    316KB

  • MD5

    804b3d6995918f4af1ef931e1fcc5d30

  • SHA1

    93d9ad359c02fb8e6318ed7a1350759748779111

  • SHA256

    399ae129b70e02db67d2ea0f23d841e3446ad5b6796fae78fc30afba5c3fa9b0

  • SHA512

    20ca027b000ecb412cf8ed56fc3586d3517cf9346e6419e72162ba2e9d80599dedda1824ece9e6ac0b29a7a7d2eff176b330441c8479a225cfcc6ee7659bc679

  • SSDEEP

    6144:s/JVYOayCTEtWff9nQMdkxIV0OQotoBOm8ntGUcF6/DsEfNXqkEL+:eJVYOy9YxIToYmtyIx+

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 54 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\399ae129b70e02db67d2ea0f23d841e3446ad5b6796fae78fc30afba5c3fa9b0.exe
    "C:\Users\Admin\AppData\Local\Temp\399ae129b70e02db67d2ea0f23d841e3446ad5b6796fae78fc30afba5c3fa9b0.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Users\Admin\zeeker.exe
      "C:\Users\Admin\zeeker.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1084

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\zeeker.exe

    Filesize

    316KB

    MD5

    5b89b4b109a8f7b3f8b56a01a81fd377

    SHA1

    a0cc1c3f5585e9e85ce03e8276e5081736899148

    SHA256

    746d4b3588f7c733091fc7fc5c1fd6a82dc6b69eb1b25126952fb58db5f830be

    SHA512

    df787d0a30894bc5e3cd8fafc731a1b0c63ed8d2890bcc42565041302a27f225ca9bc55d2df6142cd9e5849606026b532264c00ca8a712d10eba7d2b91db4dff

  • C:\Users\Admin\zeeker.exe

    Filesize

    316KB

    MD5

    5b89b4b109a8f7b3f8b56a01a81fd377

    SHA1

    a0cc1c3f5585e9e85ce03e8276e5081736899148

    SHA256

    746d4b3588f7c733091fc7fc5c1fd6a82dc6b69eb1b25126952fb58db5f830be

    SHA512

    df787d0a30894bc5e3cd8fafc731a1b0c63ed8d2890bcc42565041302a27f225ca9bc55d2df6142cd9e5849606026b532264c00ca8a712d10eba7d2b91db4dff