Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2024, 07:12

General

  • Target

    62d82edb8dd00ac0f31843c2702ac2c0N.exe

  • Size

    84KB

  • MD5

    62d82edb8dd00ac0f31843c2702ac2c0

  • SHA1

    6fd273a86c0b1dbae53be615192dffc6681ffef3

  • SHA256

    25e46d5f814ac6239f1d27c577f8d3549f829e0f4811b9b1c82a18d4b88c31c8

  • SHA512

    7658469076c4461a6c4cac218f3818d9ead93832c2875c8aae7f345bc398830d5471fb0e0d5e3f1e5a742ae02449304d1470b4a7144c4f5fc635f0f7e7585cb7

  • SSDEEP

    768:DyV+hOv0phYwzIiRg0OAIWi3KEyUhL7b7Yqlf4JwQltjmtTBHi7AlK:DoFv+nzOL76Ezh/vYlJwAitTB3lK

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62d82edb8dd00ac0f31843c2702ac2c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\62d82edb8dd00ac0f31843c2702ac2c0N.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Users\Admin\xeipuh.exe
      "C:\Users\Admin\xeipuh.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3688
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 1216
      2⤵
      • Program crash
      PID:1392
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 468 -ip 468
    1⤵
      PID:3944

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\xeipuh.exe

      Filesize

      84KB

      MD5

      57d42e292979ae7585b8175b8bef5b8b

      SHA1

      f8b89996f83663891cce6925741f267de207e463

      SHA256

      26196d472b8c26bf6f3ac4fd8c93eb897321046022e2d19c3da5dba6d19b5cc1

      SHA512

      e4dc89dd2cec5c352c458f24372d11c3e3445003239e1cb76be2c39ffb8f414b9620b8e5c7c4c26bd7e93469a41665aea24c3f25c6e57e25f8f25037c0c1f889