Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
163s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2023, 14:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4711e9fbf2b53f6fe05e526e73c206e4.exe
Resource
win7-20231201-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
4711e9fbf2b53f6fe05e526e73c206e4.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
4711e9fbf2b53f6fe05e526e73c206e4.exe
-
Size
75KB
-
MD5
4711e9fbf2b53f6fe05e526e73c206e4
-
SHA1
b4878e1a370ff69ce43f050d47f9f798d89cb05f
-
SHA256
289626bfb2e5c13c49a8df9509a5e247dbdb2365c42f0713350a2d9061d2e9bb
-
SHA512
ac3bcad9d41bdb4275b0b09a43768ddce6f995f98ec0a60b3915d421602319f8f0fbef980833dd20d922947393251137ef8cdc1e77aba69c3362365618294690
-
SSDEEP
1536:+5w/ETvpPEutHwHiHoHV/NBbgzrqNldFCnDNlN1t7g9:sw/ELpc/NBbgzrqNldFCnDNlN1M
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" geioke.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 4711e9fbf2b53f6fe05e526e73c206e4.exe -
Executes dropped EXE 1 IoCs
pid Process 2792 geioke.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geioke = "C:\\Users\\Admin\\geioke.exe" geioke.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe 2792 geioke.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1408 4711e9fbf2b53f6fe05e526e73c206e4.exe 2792 geioke.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1408 wrote to memory of 2792 1408 4711e9fbf2b53f6fe05e526e73c206e4.exe 92 PID 1408 wrote to memory of 2792 1408 4711e9fbf2b53f6fe05e526e73c206e4.exe 92 PID 1408 wrote to memory of 2792 1408 4711e9fbf2b53f6fe05e526e73c206e4.exe 92 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86 PID 2792 wrote to memory of 1408 2792 geioke.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\4711e9fbf2b53f6fe05e526e73c206e4.exe"C:\Users\Admin\AppData\Local\Temp\4711e9fbf2b53f6fe05e526e73c206e4.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\geioke.exe"C:\Users\Admin\geioke.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75KB
MD5dba6853d58576eaabf2e72f68e90bc04
SHA174c65f594a19c8c09e57e14c2435cd424a5009d0
SHA256c4f8a7528900e6cc00615bf1b4221cf7acb3b205230285f69e7b8dfbe87fe6b8
SHA512e26be037b6828cf987dd68ab1682bebd7c6859b008933b26a29d42e02b49368d9d366764d8663eebb3bad3d49c73bd38b908ed036456a4626ac40c76904edb70