Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    172s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2022, 10:21

General

  • Target

    ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe

  • Size

    224KB

  • MD5

    06bbc53b49018d32dc7fc9e200b625aa

  • SHA1

    d80629f062ab296613f0d9874ade0b34c64fcf8a

  • SHA256

    ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933

  • SHA512

    2d5d9875d582df84dd35100295574c9b6906d95d6fc1813b52d48eac6df20d8e0dc9a693999155b9b63dba1901d2b1b4dcd1250934ace8e5ede65fed9649caed

  • SSDEEP

    3072:3XyqNsMoBu5ZVpl2mclbj4Uvx+8ysNOu+2eRcKksU61JkkX39RLrw4ySKUbax2+l:yqN5Np4LnbmlrZW

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 28 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe
    "C:\Users\Admin\AppData\Local\Temp\ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Users\Admin\poacaq.exe
      "C:\Users\Admin\poacaq.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1480

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\poacaq.exe

    Filesize

    224KB

    MD5

    ceebef4f98ae2cee2505fe5217e76ebc

    SHA1

    3d8a0fc44ee19dfc7475168ce9bb09e0848db76e

    SHA256

    9f0c3a6996747f658d1c4cfa64c241cc4d541c5cbe2ca6d4d685f38a29d1352f

    SHA512

    52c280364d98da1a07572dc6421cf491376f2b649e8bf34c66be55588e5bde979200f89466a7198f7d9daec6adf32bc84b2f66f43292bbec8c6e2db74574ccc3

  • C:\Users\Admin\poacaq.exe

    Filesize

    224KB

    MD5

    ceebef4f98ae2cee2505fe5217e76ebc

    SHA1

    3d8a0fc44ee19dfc7475168ce9bb09e0848db76e

    SHA256

    9f0c3a6996747f658d1c4cfa64c241cc4d541c5cbe2ca6d4d685f38a29d1352f

    SHA512

    52c280364d98da1a07572dc6421cf491376f2b649e8bf34c66be55588e5bde979200f89466a7198f7d9daec6adf32bc84b2f66f43292bbec8c6e2db74574ccc3