Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 21:29
Static task
static1
Behavioral task
behavioral1
Sample
3d7eee4357792eacc3168412c01963f0.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
3d7eee4357792eacc3168412c01963f0.exe
Resource
win10v2004-20231222-en
General
-
Target
3d7eee4357792eacc3168412c01963f0.exe
-
Size
216KB
-
MD5
3d7eee4357792eacc3168412c01963f0
-
SHA1
4a3a7aff126a3a66b4066a858100ffba40154d3b
-
SHA256
31bcedfdd8e21c646e994e320e3931ca3a83f31b3f04fa3e2bbab72f3774fb3e
-
SHA512
03919044f54362ff68eea96807858cc2f5dea03afb00601c0c4c5c7dcb8d145d7e785fb62a3c23058eed4d89e463d96cb75942b41d79b5f14b70137118a67770
-
SSDEEP
6144:uBhrbA1x5PZZKnvmb7/D26g4upEoadEXUqgVWLIg7gd:GA1x5PZZKnvmb7/D26GadEXUqgDg7gd
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 3d7eee4357792eacc3168412c01963f0.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bepel.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 3d7eee4357792eacc3168412c01963f0.exe -
Executes dropped EXE 1 IoCs
pid Process 4276 bepel.exe -
Adds Run key to start application 2 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bepel = "C:\\Users\\Admin\\bepel.exe /Y" bepel.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bepel = "C:\\Users\\Admin\\bepel.exe /D" bepel.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bepel = "C:\\Users\\Admin\\bepel.exe /p" bepel.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bepel = "C:\\Users\\Admin\\bepel.exe /a" bepel.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bepel = "C:\\Users\\Admin\\bepel.exe /K" bepel.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bepel = "C:\\Users\\Admin\\bepel.exe /I" bepel.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bepel = "C:\\Users\\Admin\\bepel.exe /O" bepel.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bepel = "C:\\Users\\Admin\\bepel.exe /w" bepel.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bepel = "C:\\Users\\Admin\\bepel.exe /i" bepel.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bepel = "C:\\Users\\Admin\\bepel.exe /C" bepel.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bepel = "C:\\Users\\Admin\\bepel.exe /L" 3d7eee4357792eacc3168412c01963f0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bepel = "C:\\Users\\Admin\\bepel.exe /R" bepel.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bepel = "C:\\Users\\Admin\\bepel.exe /g" bepel.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bepel = "C:\\Users\\Admin\\bepel.exe /q" bepel.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 3980 3d7eee4357792eacc3168412c01963f0.exe 3980 3d7eee4357792eacc3168412c01963f0.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe 4276 bepel.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3980 3d7eee4357792eacc3168412c01963f0.exe 4276 bepel.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3980 wrote to memory of 4276 3980 3d7eee4357792eacc3168412c01963f0.exe 89 PID 3980 wrote to memory of 4276 3980 3d7eee4357792eacc3168412c01963f0.exe 89 PID 3980 wrote to memory of 4276 3980 3d7eee4357792eacc3168412c01963f0.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d7eee4357792eacc3168412c01963f0.exe"C:\Users\Admin\AppData\Local\Temp\3d7eee4357792eacc3168412c01963f0.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Users\Admin\bepel.exe"C:\Users\Admin\bepel.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4276
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD593ee9e39af2f36bdd67d14e68ede65a1
SHA1b9677090ef50814e35fb4131dd02172c61fefd31
SHA25614aa4bec1b69aaa5b329b3a75427fa077016b505faa5c8796ae77bfe753d2e4f
SHA512960d4623078220e695007a2d75e76e63d6754509902420be2f5b265cc58b43652c7baa6674a31a1e5f3403496ea1a47dd9dbb8adddfa4b729332c2e9f4857dab
-
Filesize
161KB
MD52d72dd36b6eace94bd2397e424cc49ae
SHA1db4dda68143b646a3267c649aefca915c712de76
SHA2569ddf0f5f1250a351350cab24a2b7e8585fc3a07d7c268142f153d6ea0663c7fe
SHA51213cd656562edcecdbcad0e5d48d78e798f40bbf89d44a060a06e11edab4a4484d6dfe8609e64c52d897a1dc5f5fb05abbdce6c18cc87207914b8c397e5e7fd61
-
Filesize
195KB
MD5a72c9f2a65a1d8fc1b072e5a280b5f1e
SHA105dab7e52e536d3bf181feaa229c52a4716bd338
SHA25620c413c626e4e6655b8b6d2027a9ff58ac89a72fb939bc995466d4188aa73c61
SHA512a3497c97d13031a16cad3cc1fa6db7f4a780a2e3c23f740e7866be13f963d36393bc13db71cc534e8cdab6bb17a0be93dc618b66e8f5697061fb52523411290b