Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2022, 00:23
Static task
static1
Behavioral task
behavioral1
Sample
3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe
-
Size
77KB
-
MD5
6ff07ca2d5d498017d6187c25e9f2748
-
SHA1
331b9880c951b233b0760c20cfa3a0172ddb879b
-
SHA256
3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25
-
SHA512
cf37af5827bfd372789c6a3ca34c3146b65476c24e923d076b079006e071397c63b4aa9a2b322864196398e849c13e26cd96913b4cbdf568e9149132203d93fe
-
SSDEEP
1536:0tU9goIw15Bx8pEttgdO/mXpgWXOJgQmmogDcMH5fCVsJVafuegWXAi+oX9tWV0x:MU9goIw15Bx8pEttgdO/mXpgWXOJgQmv
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cualaa.exe -
Executes dropped EXE 1 IoCs
pid Process 4868 cualaa.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ cualaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cualaa = "C:\\Users\\Admin\\cualaa.exe" cualaa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe 4868 cualaa.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1444 3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe 4868 cualaa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1444 wrote to memory of 4868 1444 3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe 82 PID 1444 wrote to memory of 4868 1444 3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe 82 PID 1444 wrote to memory of 4868 1444 3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe 82 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81 PID 4868 wrote to memory of 1444 4868 cualaa.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe"C:\Users\Admin\AppData\Local\Temp\3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\cualaa.exe"C:\Users\Admin\cualaa.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5d619ca18508f3939e991e5d92b954c0b
SHA17bbb5ca8b5e7882a06497cac5063aa4146913816
SHA2569c13c50c68ffd1df801078a7dc0b2c13dfadbd43753ef82149232a07390f26f5
SHA512c1e6bf3eed5a75244b326b67bcd62b3be92c882d4a0350e21c34413595cf67bc323d9d6b88b98f2fade740aab690799218476ef4778d00b0890305c81ef6007a
-
Filesize
77KB
MD5d619ca18508f3939e991e5d92b954c0b
SHA17bbb5ca8b5e7882a06497cac5063aa4146913816
SHA2569c13c50c68ffd1df801078a7dc0b2c13dfadbd43753ef82149232a07390f26f5
SHA512c1e6bf3eed5a75244b326b67bcd62b3be92c882d4a0350e21c34413595cf67bc323d9d6b88b98f2fade740aab690799218476ef4778d00b0890305c81ef6007a