Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2024, 04:45
Static task
static1
Behavioral task
behavioral1
Sample
f06a87018a50e8171c7f5fe125d2cb6e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f06a87018a50e8171c7f5fe125d2cb6e.exe
Resource
win10v2004-20240226-en
General
-
Target
f06a87018a50e8171c7f5fe125d2cb6e.exe
-
Size
62KB
-
MD5
f06a87018a50e8171c7f5fe125d2cb6e
-
SHA1
5a8c6363ee4a1d2c6f016892971376df0eb6d4c1
-
SHA256
d04f752b3e94d183f5da64d73e87723e6bac25d272bcf113a4204184993af45c
-
SHA512
49a1102e74acfeba04665ef149ed4163f6de906467725ea17dd3d1b64a00e83898ce018fff9ba6465e3aad02f4ff833feb23d3bc87445c730de988a8174b1270
-
SSDEEP
1536:btB9g/xtCSKfxLIc//Xr+/AO/kIZ3ft2nVuTKB6nggOlHdUHNW0:btng54SMLr+/AO/kIhfoKMHdu
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation f06a87018a50e8171c7f5fe125d2cb6e.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation gewos.exe -
Executes dropped EXE 1 IoCs
pid Process 4108 gewos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 768 wrote to memory of 4108 768 f06a87018a50e8171c7f5fe125d2cb6e.exe 92 PID 768 wrote to memory of 4108 768 f06a87018a50e8171c7f5fe125d2cb6e.exe 92 PID 768 wrote to memory of 4108 768 f06a87018a50e8171c7f5fe125d2cb6e.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\f06a87018a50e8171c7f5fe125d2cb6e.exe"C:\Users\Admin\AppData\Local\Temp\f06a87018a50e8171c7f5fe125d2cb6e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Admin\AppData\Local\Temp\gewos.exe"C:\Users\Admin\AppData\Local\Temp\gewos.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD53f3439ec5317dbd5b0f93a34eedcb6fb
SHA16e5243b0533868d1612ece107127197b337ccb50
SHA256660db0221908ce8973dd39a554b2fc2e9336aadee739bdac033375e65feeb5d7
SHA5125e01229e2ef636197641581c3395d9b042e5c2e08684d8e255483915c095683e9e96a59043867ff39fd76542e944aac1c6cdcd294f8451fa34f66d0055c38fdc