Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
99s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2022, 00:00
Static task
static1
Behavioral task
behavioral1
Sample
f2441dac87237f355fbfa0474df013f2264b254ff7f2145a93bfb1855ea4e8d6.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
f2441dac87237f355fbfa0474df013f2264b254ff7f2145a93bfb1855ea4e8d6.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f2441dac87237f355fbfa0474df013f2264b254ff7f2145a93bfb1855ea4e8d6.exe
-
Size
220KB
-
MD5
6f32497dd814e6c7596db04ee661734b
-
SHA1
35a0a3ad81e09386cf6e954e71226dc49c1b6cb2
-
SHA256
f2441dac87237f355fbfa0474df013f2264b254ff7f2145a93bfb1855ea4e8d6
-
SHA512
a9fc068f652dacb13038608b4bc187c1e0d5f3760252758f777f16464f0ba9d0fb28fd1312a37869675a6fc1b0fa63eb06b2aa6f641acbc34f5a80c3a79dc473
-
SSDEEP
1536:rC7dASR5csJawoIZsh0CF+sKE0C1rZL4H0c/7wHeLxjaimtAbe79WCyiHCUXR6Tk:xaMOFCsv/CL0jaQaWCyiHCx1ps40
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" f2441dac87237f355fbfa0474df013f2264b254ff7f2145a93bfb1855ea4e8d6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dauxua.exe -
Executes dropped EXE 1 IoCs
pid Process 2964 dauxua.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation f2441dac87237f355fbfa0474df013f2264b254ff7f2145a93bfb1855ea4e8d6.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /x" f2441dac87237f355fbfa0474df013f2264b254ff7f2145a93bfb1855ea4e8d6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /z" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /k" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /d" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /m" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /c" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /e" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /r" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /w" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /f" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /i" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /a" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /t" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /p" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /l" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /o" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /g" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /b" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /u" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /y" dauxua.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\ f2441dac87237f355fbfa0474df013f2264b254ff7f2145a93bfb1855ea4e8d6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /j" dauxua.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\ dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /x" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /q" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /v" dauxua.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dauxua = "C:\\Users\\Admin\\dauxua.exe /n" dauxua.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4912 f2441dac87237f355fbfa0474df013f2264b254ff7f2145a93bfb1855ea4e8d6.exe 4912 f2441dac87237f355fbfa0474df013f2264b254ff7f2145a93bfb1855ea4e8d6.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe 2964 dauxua.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4912 f2441dac87237f355fbfa0474df013f2264b254ff7f2145a93bfb1855ea4e8d6.exe 4912 f2441dac87237f355fbfa0474df013f2264b254ff7f2145a93bfb1855ea4e8d6.exe 2964 dauxua.exe 2964 dauxua.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4912 wrote to memory of 2964 4912 f2441dac87237f355fbfa0474df013f2264b254ff7f2145a93bfb1855ea4e8d6.exe 83 PID 4912 wrote to memory of 2964 4912 f2441dac87237f355fbfa0474df013f2264b254ff7f2145a93bfb1855ea4e8d6.exe 83 PID 4912 wrote to memory of 2964 4912 f2441dac87237f355fbfa0474df013f2264b254ff7f2145a93bfb1855ea4e8d6.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2441dac87237f355fbfa0474df013f2264b254ff7f2145a93bfb1855ea4e8d6.exe"C:\Users\Admin\AppData\Local\Temp\f2441dac87237f355fbfa0474df013f2264b254ff7f2145a93bfb1855ea4e8d6.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\dauxua.exe"C:\Users\Admin\dauxua.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2964
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220KB
MD5882444c6ad2c20f1c7df7ff1b9ba4fd3
SHA131c674acaac6696a628543afec70124e79c0fec4
SHA256d3f05da3b6edecba872507ba357195d7f13b0f5982c977ab53af8e46279777ac
SHA512d2177112b48c69a8429f10047028418ef7bec15d4673ea9109baae17f77955fa3db09dbeba8224b1d8a71108a6ee4ea785dc37b66262b6fbfc56348d2edcf63d
-
Filesize
220KB
MD5882444c6ad2c20f1c7df7ff1b9ba4fd3
SHA131c674acaac6696a628543afec70124e79c0fec4
SHA256d3f05da3b6edecba872507ba357195d7f13b0f5982c977ab53af8e46279777ac
SHA512d2177112b48c69a8429f10047028418ef7bec15d4673ea9109baae17f77955fa3db09dbeba8224b1d8a71108a6ee4ea785dc37b66262b6fbfc56348d2edcf63d