Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 21:40
Static task
static1
Behavioral task
behavioral1
Sample
3dfa6cd18f872377c0e7f29e151c9d73.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3dfa6cd18f872377c0e7f29e151c9d73.exe
Resource
win10v2004-20231222-en
General
-
Target
3dfa6cd18f872377c0e7f29e151c9d73.exe
-
Size
220KB
-
MD5
3dfa6cd18f872377c0e7f29e151c9d73
-
SHA1
14d73e863f3c4e7d0b301096f54d81413c045a87
-
SHA256
16edb433726e296fd8f3cde2e89d6d937e6a06f789120786e0ed3d10e3f639f9
-
SHA512
0deb2d9c39eca9b85f796af768418d51fa3fb85bae183dd68ad3f440c5b28a37083cdfbb791f4bef1e94ccf6e73cca1d69399c349078d366c884e1e716247f60
-
SSDEEP
3072:r5/2mS99vs6v5gVzaSCzJ0rJOz01JW69ZZ5qK:N2mS9l1gzRa0ryK
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 3dfa6cd18f872377c0e7f29e151c9d73.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" beuiwen.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 3dfa6cd18f872377c0e7f29e151c9d73.exe -
Executes dropped EXE 1 IoCs
pid Process 2548 beuiwen.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /w" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /i" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /a" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /l" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /f" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /d" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /y" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /h" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /o" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /j" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /b" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /k" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /m" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /g" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /n" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /z" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /p" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /v" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /e" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /r" 3dfa6cd18f872377c0e7f29e151c9d73.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /x" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /s" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /c" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /r" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /t" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /q" beuiwen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuiwen = "C:\\Users\\Admin\\beuiwen.exe /u" beuiwen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings 3dfa6cd18f872377c0e7f29e151c9d73.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5012 3dfa6cd18f872377c0e7f29e151c9d73.exe 5012 3dfa6cd18f872377c0e7f29e151c9d73.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe 2548 beuiwen.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5012 3dfa6cd18f872377c0e7f29e151c9d73.exe 2548 beuiwen.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5012 wrote to memory of 2548 5012 3dfa6cd18f872377c0e7f29e151c9d73.exe 90 PID 5012 wrote to memory of 2548 5012 3dfa6cd18f872377c0e7f29e151c9d73.exe 90 PID 5012 wrote to memory of 2548 5012 3dfa6cd18f872377c0e7f29e151c9d73.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dfa6cd18f872377c0e7f29e151c9d73.exe"C:\Users\Admin\AppData\Local\Temp\3dfa6cd18f872377c0e7f29e151c9d73.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Users\Admin\beuiwen.exe"C:\Users\Admin\beuiwen.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220KB
MD53dfa6cd18f872377c0e7f29e151c9d73
SHA114d73e863f3c4e7d0b301096f54d81413c045a87
SHA25616edb433726e296fd8f3cde2e89d6d937e6a06f789120786e0ed3d10e3f639f9
SHA5120deb2d9c39eca9b85f796af768418d51fa3fb85bae183dd68ad3f440c5b28a37083cdfbb791f4bef1e94ccf6e73cca1d69399c349078d366c884e1e716247f60