Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

929dce67c7...cb.exe

windows7-x64

10

929dce67c7...cb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    178s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 23:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    929dce67c7f7acaa5877a44ac5a75c6ff5b39604f8af81bd5119bfd7226977cb.exe

  • Size

    196KB

  • MD5

    cf333b8ae4ef6262cc150c464ff061f9

  • SHA1

    83dd3c58ca53bf4cef9b3a08a341d0d166de27e1

  • SHA256

    929dce67c7f7acaa5877a44ac5a75c6ff5b39604f8af81bd5119bfd7226977cb

  • SHA512

    aa5feaa92ab7a896d35646cc535136c1c4dfcb2bae3f5c17263be78eef6582fd354ff30e71f98019e090eb7c9e56fa2d7210ca4be735dca773361518a696df4c

  • SSDEEP

    3072:+y1DAg8t0tQ9nLHbB9WmvA7vejJWKvE+KmyJ:zu4QxL7B9WjjejJW5P

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\929dce67c7f7acaa5877a44ac5a75c6ff5b39604f8af81bd5119bfd7226977cb.exe
    "C:\Users\Admin\AppData\Local\Temp\929dce67c7f7acaa5877a44ac5a75c6ff5b39604f8af81bd5119bfd7226977cb.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Users\Admin\geasea.exe
      "C:\Users\Admin\geasea.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4816

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\geasea.exe
    Filesize

    196KB

    MD5

    d7b0b0bcf464d3d3d63912a618cf812e

    SHA1

    ce830b1563ae9ca65ff9b1ed99e5318f1973e962

    SHA256

    3aeef94e9d71acf2f2589216f79728708a7c9a41bf110e9f2f009ea9b5ecd62f

    SHA512

    be2756e0442f0e2eed742aa1bf2026a76ea619a05d46a38d9c4f6723e78dffa02b5feafa1663db52e880bbd2f2197717c247fd9148cf40fae420bb3e5e2eef92

    Download Submit

  • C:\Users\Admin\geasea.exe
    Filesize

    196KB

    MD5

    d7b0b0bcf464d3d3d63912a618cf812e

    SHA1

    ce830b1563ae9ca65ff9b1ed99e5318f1973e962

    SHA256

    3aeef94e9d71acf2f2589216f79728708a7c9a41bf110e9f2f009ea9b5ecd62f

    SHA512

    be2756e0442f0e2eed742aa1bf2026a76ea619a05d46a38d9c4f6723e78dffa02b5feafa1663db52e880bbd2f2197717c247fd9148cf40fae420bb3e5e2eef92

    Download Submit