Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 16:42
Static task
static1
Behavioral task
behavioral1
Sample
434f55025791d8854edcf75ee9b0cdcb5834269c5799b988434af161fe8582d1.exe
Resource
win7-20220901-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
434f55025791d8854edcf75ee9b0cdcb5834269c5799b988434af161fe8582d1.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
434f55025791d8854edcf75ee9b0cdcb5834269c5799b988434af161fe8582d1.exe
-
Size
304KB
-
MD5
758044c649d49138161b78500cc806f4
-
SHA1
210c74af6afe36b11cb2babb036651b0374d65bf
-
SHA256
434f55025791d8854edcf75ee9b0cdcb5834269c5799b988434af161fe8582d1
-
SHA512
1c25c22e475d462616c020279caa87d3c5b26bcc8be538028306d9a021ef158d4936fd5d2699211411ee93281fd0788eb13546f403572301654535e0e247785d
-
SSDEEP
3072:Hff1i2Dwhe6YIRnbXtcU7n4zKqc+5k1op2aEaDFHT+7pvPxvGLY:Yxbz+kxla8xn
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 434f55025791d8854edcf75ee9b0cdcb5834269c5799b988434af161fe8582d1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zeeuna.exe -
Executes dropped EXE 1 IoCs
pid Process 4284 zeeuna.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 434f55025791d8854edcf75ee9b0cdcb5834269c5799b988434af161fe8582d1.exe -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /u" 434f55025791d8854edcf75ee9b0cdcb5834269c5799b988434af161fe8582d1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /n" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /l" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /q" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /m" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /u" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /t" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /b" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /y" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /x" zeeuna.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 434f55025791d8854edcf75ee9b0cdcb5834269c5799b988434af161fe8582d1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /c" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /a" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /o" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /i" zeeuna.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /p" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /f" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /v" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /h" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /s" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /r" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /e" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /k" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /d" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /w" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /g" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /j" zeeuna.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeeuna = "C:\\Users\\Admin\\zeeuna.exe /z" zeeuna.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1360 434f55025791d8854edcf75ee9b0cdcb5834269c5799b988434af161fe8582d1.exe 1360 434f55025791d8854edcf75ee9b0cdcb5834269c5799b988434af161fe8582d1.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe 4284 zeeuna.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1360 434f55025791d8854edcf75ee9b0cdcb5834269c5799b988434af161fe8582d1.exe 4284 zeeuna.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1360 wrote to memory of 4284 1360 434f55025791d8854edcf75ee9b0cdcb5834269c5799b988434af161fe8582d1.exe 84 PID 1360 wrote to memory of 4284 1360 434f55025791d8854edcf75ee9b0cdcb5834269c5799b988434af161fe8582d1.exe 84 PID 1360 wrote to memory of 4284 1360 434f55025791d8854edcf75ee9b0cdcb5834269c5799b988434af161fe8582d1.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\434f55025791d8854edcf75ee9b0cdcb5834269c5799b988434af161fe8582d1.exe"C:\Users\Admin\AppData\Local\Temp\434f55025791d8854edcf75ee9b0cdcb5834269c5799b988434af161fe8582d1.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\zeeuna.exe"C:\Users\Admin\zeeuna.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4284
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304KB
MD509a498239affba0a38243847af98563a
SHA17bb15efbc0f8379cf0ad0fe786fbaa4844f4df0e
SHA2562ddda4a369286c6c9b20078421182742a4df0546c521d05a7f1ee6e84b4210a4
SHA5127420d07fdbdc60ba430f2c8557309254ccff4f4663636e8b6dd2eebb2dc473cb85d596038eb1985e45e07985a48da4d06f5a4d55fe676370cff7c22f4d5cb99c
-
Filesize
304KB
MD509a498239affba0a38243847af98563a
SHA17bb15efbc0f8379cf0ad0fe786fbaa4844f4df0e
SHA2562ddda4a369286c6c9b20078421182742a4df0546c521d05a7f1ee6e84b4210a4
SHA5127420d07fdbdc60ba430f2c8557309254ccff4f4663636e8b6dd2eebb2dc473cb85d596038eb1985e45e07985a48da4d06f5a4d55fe676370cff7c22f4d5cb99c