Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2022, 00:37

General

  • Target

    8cd633a558dfc1546a252ce597e95659219f02d53c0d1e4d17eedd4905706089.exe

  • Size

    228KB

  • MD5

    6c38bb5f7bdeb6ef00c72da4762ad430

  • SHA1

    560fc39783b4df2a828616db87b53187644822f5

  • SHA256

    8cd633a558dfc1546a252ce597e95659219f02d53c0d1e4d17eedd4905706089

  • SHA512

    4b185e9ef3f39cb8bd378884987686eb9ef1a25616b7d0469120ed1b4245bf4767d5d5f42b3c05f571e6b08f9791ff72aa38ef74f5b0c455845b23cd151e2ce5

  • SSDEEP

    3072:ug4ixi5UYJVFV5eDQHsuvNA05Vqtto24VmcZMUuXi46qndeAxIbYpu0:T83JrLeDQHr+uV0to24VmlUuSvqEK

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8cd633a558dfc1546a252ce597e95659219f02d53c0d1e4d17eedd4905706089.exe
    "C:\Users\Admin\AppData\Local\Temp\8cd633a558dfc1546a252ce597e95659219f02d53c0d1e4d17eedd4905706089.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Users\Admin\giovo.exe
      "C:\Users\Admin\giovo.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4816

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\giovo.exe

    Filesize

    228KB

    MD5

    0958bc3cdb4744600f2a300b35f333e7

    SHA1

    62cf8236538df85ff0fbc2f08728d882d94ce629

    SHA256

    4025a2f7a7fccaf3de4b64ee2ed02a682ca31f7cd0e796b102e2a2e5d39e0deb

    SHA512

    daabf417274c35e716c85bc55d92cac2b95ef01d91af2d6322369f762e3dbe3ee96e58c4c90e61d86dfe90c3960f8803115d2100acea8e3a4e1ec24269bc18c0

  • C:\Users\Admin\giovo.exe

    Filesize

    228KB

    MD5

    0958bc3cdb4744600f2a300b35f333e7

    SHA1

    62cf8236538df85ff0fbc2f08728d882d94ce629

    SHA256

    4025a2f7a7fccaf3de4b64ee2ed02a682ca31f7cd0e796b102e2a2e5d39e0deb

    SHA512

    daabf417274c35e716c85bc55d92cac2b95ef01d91af2d6322369f762e3dbe3ee96e58c4c90e61d86dfe90c3960f8803115d2100acea8e3a4e1ec24269bc18c0