Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2024, 07:12
Static task
static1
Behavioral task
behavioral1
Sample
62d82edb8dd00ac0f31843c2702ac2c0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
62d82edb8dd00ac0f31843c2702ac2c0N.exe
Resource
win10v2004-20240709-en
General
-
Target
62d82edb8dd00ac0f31843c2702ac2c0N.exe
-
Size
84KB
-
MD5
62d82edb8dd00ac0f31843c2702ac2c0
-
SHA1
6fd273a86c0b1dbae53be615192dffc6681ffef3
-
SHA256
25e46d5f814ac6239f1d27c577f8d3549f829e0f4811b9b1c82a18d4b88c31c8
-
SHA512
7658469076c4461a6c4cac218f3818d9ead93832c2875c8aae7f345bc398830d5471fb0e0d5e3f1e5a742ae02449304d1470b4a7144c4f5fc635f0f7e7585cb7
-
SSDEEP
768:DyV+hOv0phYwzIiRg0OAIWi3KEyUhL7b7Yqlf4JwQltjmtTBHi7AlK:DoFv+nzOL76Ezh/vYlJwAitTB3lK
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xeipuh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 62d82edb8dd00ac0f31843c2702ac2c0N.exe -
Executes dropped EXE 1 IoCs
pid Process 3688 xeipuh.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeipuh = "C:\\Users\\Admin\\xeipuh.exe" xeipuh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1392 468 WerFault.exe 85 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe 3688 xeipuh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 468 62d82edb8dd00ac0f31843c2702ac2c0N.exe 3688 xeipuh.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 468 wrote to memory of 3688 468 62d82edb8dd00ac0f31843c2702ac2c0N.exe 87 PID 468 wrote to memory of 3688 468 62d82edb8dd00ac0f31843c2702ac2c0N.exe 87 PID 468 wrote to memory of 3688 468 62d82edb8dd00ac0f31843c2702ac2c0N.exe 87 PID 3688 wrote to memory of 468 3688 xeipuh.exe 85 PID 3688 wrote to memory of 468 3688 xeipuh.exe 85 PID 3688 wrote to memory of 1392 3688 xeipuh.exe 90 PID 3688 wrote to memory of 1392 3688 xeipuh.exe 90 PID 3688 wrote to memory of 468 3688 xeipuh.exe 85 PID 3688 wrote to memory of 468 3688 xeipuh.exe 85 PID 3688 wrote to memory of 1392 3688 xeipuh.exe 90 PID 3688 wrote to memory of 1392 3688 xeipuh.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\62d82edb8dd00ac0f31843c2702ac2c0N.exe"C:\Users\Admin\AppData\Local\Temp\62d82edb8dd00ac0f31843c2702ac2c0N.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Users\Admin\xeipuh.exe"C:\Users\Admin\xeipuh.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3688
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 12162⤵
- Program crash
PID:1392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 468 -ip 4681⤵PID:3944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD557d42e292979ae7585b8175b8bef5b8b
SHA1f8b89996f83663891cce6925741f267de207e463
SHA25626196d472b8c26bf6f3ac4fd8c93eb897321046022e2d19c3da5dba6d19b5cc1
SHA512e4dc89dd2cec5c352c458f24372d11c3e3445003239e1cb76be2c39ffb8f414b9620b8e5c7c4c26bd7e93469a41665aea24c3f25c6e57e25f8f25037c0c1f889