Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
175s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 16:03
Static task
static1
Behavioral task
behavioral1
Sample
7b2c83e6ce54abf1ffeca39c02ef6378.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7b2c83e6ce54abf1ffeca39c02ef6378.exe
Resource
win10v2004-20231215-en
General
-
Target
7b2c83e6ce54abf1ffeca39c02ef6378.exe
-
Size
176KB
-
MD5
7b2c83e6ce54abf1ffeca39c02ef6378
-
SHA1
169bde615dd6b634a503a2ed5d9b75d656f1bda2
-
SHA256
4a352be73356af419b78463a95d2ca6cf4799c89ac92f87a581ee50bb08fb69c
-
SHA512
dbd4e112f1e9a99a54dd6e5ceea3a3003325f2cb0a7a1bea9c32b85e19f5bedaec584f83b151b5c14a84972bfa4cbaa7f5dc0405e3c48a47f2679704dd8f079c
-
SSDEEP
3072:6RlNSIcEGROnF5grgPmCXMNKiqMdMZZZZWMkIJOh:6g5tEMNIMdHYC
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 7b2c83e6ce54abf1ffeca39c02ef6378.exe Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" reasaez.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 7b2c83e6ce54abf1ffeca39c02ef6378.exe -
Executes dropped EXE 1 IoCs
pid Process 4516 reasaez.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /g" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /d" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /j" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /n" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /y" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /w" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /c" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /q" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /h" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /b" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /p" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /t" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /z" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /s" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /a" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /j" 7b2c83e6ce54abf1ffeca39c02ef6378.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /x" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /k" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /e" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /m" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /v" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /u" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /l" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /o" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /i" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /r" reasaez.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /f" reasaez.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2504 7b2c83e6ce54abf1ffeca39c02ef6378.exe 2504 7b2c83e6ce54abf1ffeca39c02ef6378.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe 4516 reasaez.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2504 7b2c83e6ce54abf1ffeca39c02ef6378.exe 4516 reasaez.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2504 wrote to memory of 4516 2504 7b2c83e6ce54abf1ffeca39c02ef6378.exe 91 PID 2504 wrote to memory of 4516 2504 7b2c83e6ce54abf1ffeca39c02ef6378.exe 91 PID 2504 wrote to memory of 4516 2504 7b2c83e6ce54abf1ffeca39c02ef6378.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b2c83e6ce54abf1ffeca39c02ef6378.exe"C:\Users\Admin\AppData\Local\Temp\7b2c83e6ce54abf1ffeca39c02ef6378.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\reasaez.exe"C:\Users\Admin\reasaez.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4516
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD50e89fa5414591435ff15222f4c19767c
SHA116a01a1fdb03783b06d125104a96d7f701d97c89
SHA25666110cc8eefb2f8c63a03d2c3bf2229bd6d1c5eb07d842eeb18001ec7125195c
SHA512b80a2eb01b2018b23265a5a59acb0536986ef6632d05d4db831aa191740518083dffa464ae0eb0dc613e64c5e959044b36a375fa769c9cbacb9de09a9c587bca
-
Filesize
31KB
MD5fb726d36519e08445ff60ab352ca5a4f
SHA1dbe3aae43b024e877b69e16de8b6f2e72a962aa8
SHA256e8aa9072215027ad5035d7e9385f5ff2af7d6a3686128815b6c7e5c8c7d2faf5
SHA51268ed5afb436a644c37f1aef1f76bed58864e797bc89a013996456bcbec9a6d2adf7f7c051284bee77dbd7052138cba4df28199d0eac8a2f7143f38a544d5713c
-
Filesize
81KB
MD5ad6e6175939267da66d1d278236fff3f
SHA1ff3012fb4131da9b71f0815d589e8328a65a8e0d
SHA256c10e533b01691d8bd8842198c5728e0f79837bd8ff2b6a6f2679f9a4ab3597f7
SHA512c3e45d5ef69c9bbc57108560fd02ecc45b713c40a64183599738947e7cceb835740e1769c3931dc2be686362754840a54e308fd12b81b6e22b5b24c83aa84a5d