Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

17e07e8f59...fb.exe

windows7-x64

10

17e07e8f59...fb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    192s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 03:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17e07e8f596dfc3010ba44fc95612345969d45d5670a634a06c4e4d02f46f1fb.exe

  • Size

    256KB

  • MD5

    117f8f1369374f6269cedf1a56fa9ea7

  • SHA1

    43250be822934748e6718f282c9de6fd4bd82464

  • SHA256

    17e07e8f596dfc3010ba44fc95612345969d45d5670a634a06c4e4d02f46f1fb

  • SHA512

    f7cfdd9e006a271b2de95be8829e40f11587be95b2be911250bd31c01b151e2142666dc9d9fabf8cb260601415a4d626800b8dadd120b62d8ebaa2d32d1b0a14

  • SSDEEP

    6144:YLEBRa0wxtGUjk+UHAS3+qipkWqWHa2xUsKjVx5LK6HX36X6xv76gcBRSUznDy:YLEc0wTGUjk//3+qEkWqWHa2xUsKjVxV

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 58 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17e07e8f596dfc3010ba44fc95612345969d45d5670a634a06c4e4d02f46f1fb.exe
    "C:\Users\Admin\AppData\Local\Temp\17e07e8f596dfc3010ba44fc95612345969d45d5670a634a06c4e4d02f46f1fb.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3136
    • C:\Users\Admin\beukar.exe
      "C:\Users\Admin\beukar.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:836

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\beukar.exe
    Filesize

    256KB

    MD5

    ba6dbd7f4bf759e166336dc5f9f6bdf2

    SHA1

    c857d3b512a8484495bd4904fec8f0a469cc9458

    SHA256

    e2dd24c97a5c8a904c4fe1e1eccf460bd8a9ffe245b26d7a68d3721f5dacaf4e

    SHA512

    fe1d0ea075af1fc11ae4395f69fdb6331d45a96ac85d7bac4217b303a2a2548a0b8ae74c9e15a11dbc76d1c59a64039f3512f9eb59c029bf783f89e5924b8cf9

    Download Submit

  • C:\Users\Admin\beukar.exe
    Filesize

    256KB

    MD5

    ba6dbd7f4bf759e166336dc5f9f6bdf2

    SHA1

    c857d3b512a8484495bd4904fec8f0a469cc9458

    SHA256

    e2dd24c97a5c8a904c4fe1e1eccf460bd8a9ffe245b26d7a68d3721f5dacaf4e

    SHA512

    fe1d0ea075af1fc11ae4395f69fdb6331d45a96ac85d7bac4217b303a2a2548a0b8ae74c9e15a11dbc76d1c59a64039f3512f9eb59c029bf783f89e5924b8cf9

    Download Submit