Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2022, 00:12
Static task
static1
Behavioral task
behavioral1
Sample
57497d9e31c87d24875f9a0223e26f7be27b1cabf745f7e37a13649855a1ba43.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
57497d9e31c87d24875f9a0223e26f7be27b1cabf745f7e37a13649855a1ba43.exe
Resource
win10v2004-20220901-en
General
-
Target
57497d9e31c87d24875f9a0223e26f7be27b1cabf745f7e37a13649855a1ba43.exe
-
Size
192KB
-
MD5
43682b9f05cef3f3f661cb7c760fc498
-
SHA1
c9d756f3558eb46d490e1b220998e893dd45fe08
-
SHA256
57497d9e31c87d24875f9a0223e26f7be27b1cabf745f7e37a13649855a1ba43
-
SHA512
be363bb832f3ebd5225aad2f02ec771b92b978ed38ec7c5834781cf4c5af2343e23b4fabaa59bd782eb49dfd4c651e64d872dcacda8a077aa2b97a5362b9b1e2
-
SSDEEP
1536:jZcD2OahSaaaaat031AdQWB5kCFrWszRUOHFlQhzyLwVKftfVBiZHAPloFp5A2m3:POGAW3kCFrWsF2eLbqx2XMFs89
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 57497d9e31c87d24875f9a0223e26f7be27b1cabf745f7e37a13649855a1ba43.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" beuwaq.exe -
Executes dropped EXE 1 IoCs
pid Process 4776 beuwaq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 57497d9e31c87d24875f9a0223e26f7be27b1cabf745f7e37a13649855a1ba43.exe -
Adds Run key to start application 2 TTPs 23 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /x" beuwaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /t" beuwaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /u" beuwaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /h" 57497d9e31c87d24875f9a0223e26f7be27b1cabf745f7e37a13649855a1ba43.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /l" beuwaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /v" beuwaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /c" beuwaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /z" beuwaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /f" beuwaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /a" beuwaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /e" beuwaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /m" beuwaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /k" beuwaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /o" beuwaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /d" beuwaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /w" beuwaq.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 57497d9e31c87d24875f9a0223e26f7be27b1cabf745f7e37a13649855a1ba43.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /g" beuwaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /i" beuwaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /s" beuwaq.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ beuwaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /y" beuwaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beuwaq = "C:\\Users\\Admin\\beuwaq.exe /b" beuwaq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3540 57497d9e31c87d24875f9a0223e26f7be27b1cabf745f7e37a13649855a1ba43.exe 3540 57497d9e31c87d24875f9a0223e26f7be27b1cabf745f7e37a13649855a1ba43.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe 4776 beuwaq.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3540 57497d9e31c87d24875f9a0223e26f7be27b1cabf745f7e37a13649855a1ba43.exe 4776 beuwaq.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3540 wrote to memory of 4776 3540 57497d9e31c87d24875f9a0223e26f7be27b1cabf745f7e37a13649855a1ba43.exe 104 PID 3540 wrote to memory of 4776 3540 57497d9e31c87d24875f9a0223e26f7be27b1cabf745f7e37a13649855a1ba43.exe 104 PID 3540 wrote to memory of 4776 3540 57497d9e31c87d24875f9a0223e26f7be27b1cabf745f7e37a13649855a1ba43.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\57497d9e31c87d24875f9a0223e26f7be27b1cabf745f7e37a13649855a1ba43.exe"C:\Users\Admin\AppData\Local\Temp\57497d9e31c87d24875f9a0223e26f7be27b1cabf745f7e37a13649855a1ba43.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\beuwaq.exe"C:\Users\Admin\beuwaq.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4776
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5b844557075c8d1c261b9c770d15bc02c
SHA11d906951058b92b10e140f49be720834f0366208
SHA25623d755bd8de279b4fdd2a3944aaa563cf0b53af4778e9580dc764a520b6afdbe
SHA51224e92ac8dca2dbb841c17b4a6b6394c1a775adb3ca06526fce9171bbc139faadd26798123005b1c860afb13ac3bf2197bb0cb052f0fa79497a1dfd890512c587
-
Filesize
192KB
MD5b844557075c8d1c261b9c770d15bc02c
SHA11d906951058b92b10e140f49be720834f0366208
SHA25623d755bd8de279b4fdd2a3944aaa563cf0b53af4778e9580dc764a520b6afdbe
SHA51224e92ac8dca2dbb841c17b4a6b6394c1a775adb3ca06526fce9171bbc139faadd26798123005b1c860afb13ac3bf2197bb0cb052f0fa79497a1dfd890512c587