Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 11:36
Static task
static1
Behavioral task
behavioral1
Sample
5efce78a14dbe10b6787f5bd1f2ad2c2fa17e12d61431b16b13ddfc383304046.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
5efce78a14dbe10b6787f5bd1f2ad2c2fa17e12d61431b16b13ddfc383304046.exe
Resource
win10v2004-20220901-en
General
-
Target
5efce78a14dbe10b6787f5bd1f2ad2c2fa17e12d61431b16b13ddfc383304046.exe
-
Size
140KB
-
MD5
0d0aac5cc047ede373f422fc60916e00
-
SHA1
ee482dfaca0b95ba3481f4d1264d0a46907d707a
-
SHA256
5efce78a14dbe10b6787f5bd1f2ad2c2fa17e12d61431b16b13ddfc383304046
-
SHA512
ef9e228f0bb876b43bd1430e8c4ae8e11878f8cf8c796a8b2e1598ddc15b44f7e0beb2caec395ed42ee447e5607736e5e62de2e75c91c580f51dadfacf1c0d68
-
SSDEEP
3072:s2LacOaPAX7EjWafJMgE/2DyRuBzMuDuf3tbFR9EBoPfnvZYn:XLYaI7EjWaLBzMsgJv
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pezop.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 5efce78a14dbe10b6787f5bd1f2ad2c2fa17e12d61431b16b13ddfc383304046.exe -
Executes dropped EXE 1 IoCs
pid Process 2496 pezop.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 5efce78a14dbe10b6787f5bd1f2ad2c2fa17e12d61431b16b13ddfc383304046.exe -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /m" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /c" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /i" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /d" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /q" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /r" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /k" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /l" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /g" 5efce78a14dbe10b6787f5bd1f2ad2c2fa17e12d61431b16b13ddfc383304046.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /p" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /t" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /v" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /b" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /a" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /o" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /g" pezop.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 5efce78a14dbe10b6787f5bd1f2ad2c2fa17e12d61431b16b13ddfc383304046.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /n" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /w" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /x" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /h" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /j" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /s" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /e" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /z" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /f" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /u" pezop.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pezop = "C:\\Users\\Admin\\pezop.exe /y" pezop.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3212 5efce78a14dbe10b6787f5bd1f2ad2c2fa17e12d61431b16b13ddfc383304046.exe 3212 5efce78a14dbe10b6787f5bd1f2ad2c2fa17e12d61431b16b13ddfc383304046.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe 2496 pezop.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3212 5efce78a14dbe10b6787f5bd1f2ad2c2fa17e12d61431b16b13ddfc383304046.exe 2496 pezop.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3212 wrote to memory of 2496 3212 5efce78a14dbe10b6787f5bd1f2ad2c2fa17e12d61431b16b13ddfc383304046.exe 82 PID 3212 wrote to memory of 2496 3212 5efce78a14dbe10b6787f5bd1f2ad2c2fa17e12d61431b16b13ddfc383304046.exe 82 PID 3212 wrote to memory of 2496 3212 5efce78a14dbe10b6787f5bd1f2ad2c2fa17e12d61431b16b13ddfc383304046.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\5efce78a14dbe10b6787f5bd1f2ad2c2fa17e12d61431b16b13ddfc383304046.exe"C:\Users\Admin\AppData\Local\Temp\5efce78a14dbe10b6787f5bd1f2ad2c2fa17e12d61431b16b13ddfc383304046.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Users\Admin\pezop.exe"C:\Users\Admin\pezop.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2496
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD5af14df4e15a7d4347d811c8b578578f4
SHA16287c6f06ac9754ba824a9792d36fafacab47a9c
SHA256ece9654759e37582102965e94dc976a44cc9623863c4038471440c9501a1aad0
SHA512342e8192a3f4944294a0dfc7df314216a96c4f45d3250cfb2fdac65314f13737518bc5178567f3776cbe8251187adbb7c51328f2b18690e2863b6dc0d2fe4e96
-
Filesize
140KB
MD5af14df4e15a7d4347d811c8b578578f4
SHA16287c6f06ac9754ba824a9792d36fafacab47a9c
SHA256ece9654759e37582102965e94dc976a44cc9623863c4038471440c9501a1aad0
SHA512342e8192a3f4944294a0dfc7df314216a96c4f45d3250cfb2fdac65314f13737518bc5178567f3776cbe8251187adbb7c51328f2b18690e2863b6dc0d2fe4e96