Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
172s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2022, 10:21
Static task
static1
Behavioral task
behavioral1
Sample
ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe
Resource
win10v2004-20220812-en
General
-
Target
ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe
-
Size
224KB
-
MD5
06bbc53b49018d32dc7fc9e200b625aa
-
SHA1
d80629f062ab296613f0d9874ade0b34c64fcf8a
-
SHA256
ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933
-
SHA512
2d5d9875d582df84dd35100295574c9b6906d95d6fc1813b52d48eac6df20d8e0dc9a693999155b9b63dba1901d2b1b4dcd1250934ace8e5ede65fed9649caed
-
SSDEEP
3072:3XyqNsMoBu5ZVpl2mclbj4Uvx+8ysNOu+2eRcKksU61JkkX39RLrw4ySKUbax2+l:yqN5Np4LnbmlrZW
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" poacaq.exe -
Executes dropped EXE 1 IoCs
pid Process 1480 poacaq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe -
Adds Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /h" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /u" ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /x" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /q" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /m" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /y" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /t" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /l" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /b" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /f" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /d" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /o" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /j" poacaq.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /p" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /i" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /a" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /w" poacaq.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /z" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /c" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /u" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /r" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /k" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /g" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /v" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /s" poacaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poacaq = "C:\\Users\\Admin\\poacaq.exe /e" poacaq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1080 ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe 1080 ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe 1480 poacaq.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1080 ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe 1480 poacaq.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1080 wrote to memory of 1480 1080 ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe 83 PID 1080 wrote to memory of 1480 1080 ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe 83 PID 1080 wrote to memory of 1480 1080 ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe"C:\Users\Admin\AppData\Local\Temp\ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\poacaq.exe"C:\Users\Admin\poacaq.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1480
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5ceebef4f98ae2cee2505fe5217e76ebc
SHA13d8a0fc44ee19dfc7475168ce9bb09e0848db76e
SHA2569f0c3a6996747f658d1c4cfa64c241cc4d541c5cbe2ca6d4d685f38a29d1352f
SHA51252c280364d98da1a07572dc6421cf491376f2b649e8bf34c66be55588e5bde979200f89466a7198f7d9daec6adf32bc84b2f66f43292bbec8c6e2db74574ccc3
-
Filesize
224KB
MD5ceebef4f98ae2cee2505fe5217e76ebc
SHA13d8a0fc44ee19dfc7475168ce9bb09e0848db76e
SHA2569f0c3a6996747f658d1c4cfa64c241cc4d541c5cbe2ca6d4d685f38a29d1352f
SHA51252c280364d98da1a07572dc6421cf491376f2b649e8bf34c66be55588e5bde979200f89466a7198f7d9daec6adf32bc84b2f66f43292bbec8c6e2db74574ccc3