Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    163s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/12/2023, 14:51

General

  • Target

    4711e9fbf2b53f6fe05e526e73c206e4.exe

  • Size

    75KB

  • MD5

    4711e9fbf2b53f6fe05e526e73c206e4

  • SHA1

    b4878e1a370ff69ce43f050d47f9f798d89cb05f

  • SHA256

    289626bfb2e5c13c49a8df9509a5e247dbdb2365c42f0713350a2d9061d2e9bb

  • SHA512

    ac3bcad9d41bdb4275b0b09a43768ddce6f995f98ec0a60b3915d421602319f8f0fbef980833dd20d922947393251137ef8cdc1e77aba69c3362365618294690

  • SSDEEP

    1536:+5w/ETvpPEutHwHiHoHV/NBbgzrqNldFCnDNlN1t7g9:sw/ELpc/NBbgzrqNldFCnDNlN1M

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4711e9fbf2b53f6fe05e526e73c206e4.exe
    "C:\Users\Admin\AppData\Local\Temp\4711e9fbf2b53f6fe05e526e73c206e4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Users\Admin\geioke.exe
      "C:\Users\Admin\geioke.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\geioke.exe

    Filesize

    75KB

    MD5

    dba6853d58576eaabf2e72f68e90bc04

    SHA1

    74c65f594a19c8c09e57e14c2435cd424a5009d0

    SHA256

    c4f8a7528900e6cc00615bf1b4221cf7acb3b205230285f69e7b8dfbe87fe6b8

    SHA512

    e26be037b6828cf987dd68ab1682bebd7c6859b008933b26a29d42e02b49368d9d366764d8663eebb3bad3d49c73bd38b908ed036456a4626ac40c76904edb70