Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
301s -
max time network
292s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2022, 11:52
Static task
static1
Behavioral task
behavioral1
Sample
2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2.exe
Resource
win10v2004-20220812-en
General
-
Target
2.exe
-
Size
1.3MB
-
MD5
5110f6802a9e7f1eaba4dd916f80b2a0
-
SHA1
4c3b319e1f68cbde0991d352a9156b1932264573
-
SHA256
50b2b6803b44585b6b2b504af9b0102788c7195c97fc61ff3c1a14747de41113
-
SHA512
ab25bb827c7299e4823595a1b6e7d3a2a2ade89a4485549d68c1e24644cdc6e015a0dff4e1cb5674a66aff22c1988aebc3253c3b786861f4c03c8006f5d2c848
-
SSDEEP
24576:qDv3/Mg+ReqnEHiwf29hq6ik68o62xzdJ8A52QqW7I2LOQSQ33R0Z:qERPwf2WZ18o62xzv8VmF
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MoUSO.exe -
Executes dropped EXE 1 IoCs
pid Process 716 MoUSO.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MoUSO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MoUSO.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 2.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine 2.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine MoUSO.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 688 2.exe 716 MoUSO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4632 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 688 2.exe 688 2.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe 716 MoUSO.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 688 wrote to memory of 4632 688 2.exe 79 PID 688 wrote to memory of 4632 688 2.exe 79 PID 688 wrote to memory of 4632 688 2.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"2⤵
- Creates scheduled task(s)
PID:4632
-
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeC:\Users\Admin\AppData\Local\cache\MoUSO.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:716
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD55110f6802a9e7f1eaba4dd916f80b2a0
SHA14c3b319e1f68cbde0991d352a9156b1932264573
SHA25650b2b6803b44585b6b2b504af9b0102788c7195c97fc61ff3c1a14747de41113
SHA512ab25bb827c7299e4823595a1b6e7d3a2a2ade89a4485549d68c1e24644cdc6e015a0dff4e1cb5674a66aff22c1988aebc3253c3b786861f4c03c8006f5d2c848
-
Filesize
1.3MB
MD55110f6802a9e7f1eaba4dd916f80b2a0
SHA14c3b319e1f68cbde0991d352a9156b1932264573
SHA25650b2b6803b44585b6b2b504af9b0102788c7195c97fc61ff3c1a14747de41113
SHA512ab25bb827c7299e4823595a1b6e7d3a2a2ade89a4485549d68c1e24644cdc6e015a0dff4e1cb5674a66aff22c1988aebc3253c3b786861f4c03c8006f5d2c848