Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 14:55
Static task
static1
Behavioral task
behavioral1
Sample
73ec0de7c9867bbf261b7ce319bb8c18fd1acaf52f4b2867f7444559ecf87d18.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
73ec0de7c9867bbf261b7ce319bb8c18fd1acaf52f4b2867f7444559ecf87d18.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
73ec0de7c9867bbf261b7ce319bb8c18fd1acaf52f4b2867f7444559ecf87d18.exe
-
Size
52KB
-
MD5
6473b074b73b9ca176311bf100e02d9a
-
SHA1
19c03060ab2bedf181df7f406a31e90db8e8ac1d
-
SHA256
73ec0de7c9867bbf261b7ce319bb8c18fd1acaf52f4b2867f7444559ecf87d18
-
SHA512
dcb5a7d278169292ba0291386b72e9bccc6064d9b12f99cbf90a9d3513f7036b7863cd0e3fae8c9195cbf29ae472d3b1d4bd53608268656d31ea7dc31ee12d7c
-
SSDEEP
768:OWEJbB6haGnJntgTVH7NHaurxmWXOQfwoObuPb77e5yC:OWE96Jnml5lXAoO+H7cyC
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" duedue.exe -
Executes dropped EXE 1 IoCs
pid Process 1588 duedue.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 73ec0de7c9867bbf261b7ce319bb8c18fd1acaf52f4b2867f7444559ecf87d18.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ duedue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\duedue = "C:\\Users\\Admin\\duedue.exe" duedue.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe 1588 duedue.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2012 73ec0de7c9867bbf261b7ce319bb8c18fd1acaf52f4b2867f7444559ecf87d18.exe 1588 duedue.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 1588 2012 73ec0de7c9867bbf261b7ce319bb8c18fd1acaf52f4b2867f7444559ecf87d18.exe 79 PID 2012 wrote to memory of 1588 2012 73ec0de7c9867bbf261b7ce319bb8c18fd1acaf52f4b2867f7444559ecf87d18.exe 79 PID 2012 wrote to memory of 1588 2012 73ec0de7c9867bbf261b7ce319bb8c18fd1acaf52f4b2867f7444559ecf87d18.exe 79 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78 PID 1588 wrote to memory of 2012 1588 duedue.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\73ec0de7c9867bbf261b7ce319bb8c18fd1acaf52f4b2867f7444559ecf87d18.exe"C:\Users\Admin\AppData\Local\Temp\73ec0de7c9867bbf261b7ce319bb8c18fd1acaf52f4b2867f7444559ecf87d18.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\duedue.exe"C:\Users\Admin\duedue.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5e5f93aa213e70e67325295786e44971b
SHA19cea74cf8655e33cebf95adea3000d16e6ce7d1a
SHA256e903e713f0f9fa3463e69ad95bf34112deea38be1abbbd260b17c26114c2a951
SHA51239a53511fcdbc003ba72d623587233a9059d19936bb3aebcdb0296d5964d9e16ac86fc477d8862573c92ca056553bab9c4bb4463b7476184a71f927b0193b8fe
-
Filesize
52KB
MD5e5f93aa213e70e67325295786e44971b
SHA19cea74cf8655e33cebf95adea3000d16e6ce7d1a
SHA256e903e713f0f9fa3463e69ad95bf34112deea38be1abbbd260b17c26114c2a951
SHA51239a53511fcdbc003ba72d623587233a9059d19936bb3aebcdb0296d5964d9e16ac86fc477d8862573c92ca056553bab9c4bb4463b7476184a71f927b0193b8fe