Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/03/2024, 14:11
Static task
static1
Behavioral task
behavioral1
Sample
b253fe41b9c0ed7fbe3a8e2f38bcd864.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b253fe41b9c0ed7fbe3a8e2f38bcd864.exe
Resource
win10v2004-20240226-en
General
-
Target
b253fe41b9c0ed7fbe3a8e2f38bcd864.exe
-
Size
108KB
-
MD5
b253fe41b9c0ed7fbe3a8e2f38bcd864
-
SHA1
840a9a95fb366ef1ca19760d2b12c8937cedf416
-
SHA256
73e506879a2d33b72c2dce161ff27fef46fc753d9a2dfc5590df3282bfc73ee0
-
SHA512
9ccd560927ef21dba09cdd0d35c7f01146e3377dfb9afdfff18fa33c0a136bd0e7ad0b787a1d451d1afa85fda1bb7c1bb95b1800a22732e96a1ee8f5f4387bb7
-
SSDEEP
768:MyV+hOvI80wziAgjzIWi3KEyUhL7b7Yqlf4JwQltjmtTBHi7Alz:MoFvJ/Y876Ezh/vYlJwAitTB3lz
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zeune.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation b253fe41b9c0ed7fbe3a8e2f38bcd864.exe -
Executes dropped EXE 1 IoCs
pid Process 2020 zeune.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeune = "C:\\Users\\Admin\\zeune.exe" zeune.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3348 2648 WerFault.exe 85 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe 2020 zeune.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2648 b253fe41b9c0ed7fbe3a8e2f38bcd864.exe 2020 zeune.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2020 2648 b253fe41b9c0ed7fbe3a8e2f38bcd864.exe 91 PID 2648 wrote to memory of 2020 2648 b253fe41b9c0ed7fbe3a8e2f38bcd864.exe 91 PID 2648 wrote to memory of 2020 2648 b253fe41b9c0ed7fbe3a8e2f38bcd864.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\b253fe41b9c0ed7fbe3a8e2f38bcd864.exe"C:\Users\Admin\AppData\Local\Temp\b253fe41b9c0ed7fbe3a8e2f38bcd864.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\zeune.exe"C:\Users\Admin\zeune.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 16362⤵
- Program crash
PID:3348
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2648 -ip 26481⤵PID:1320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD5e03aef1441b64035edb75d5e5256a67e
SHA191561c97218ebfafa1ac9742627114e8098c3b51
SHA256d06a9a4938d893d200f24f418460a9a7f057496f8ae1e85fbc205874d2fbd455
SHA5126ba29f9c64cf8faa82fd50224fa078ded9c4357064fe392b0cbb3f56b2deea6e5d6952858fc76cf5648ef0b647439eb5a34774b2ff349816fdf7de4f39c04b3d