Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 22:13

General

  • Target

    e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe

  • Size

    272KB

  • MD5

    4e5cd7aab2d7865018ce6724740bcc80

  • SHA1

    cc99b0c2a2d916dac2f7143dd981db82a4161222

  • SHA256

    e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b

  • SHA512

    12ddc638a7aec9b447355beb72af468741b56b20f4cf20cf03eb0ed7d14739c8c0f1c40d1dc710c2f3ff76f543020c0396288428c6cd152187ec94d4fc824033

  • SSDEEP

    3072:0jsxTNg91R0FvbVJznCRcy/hqF69MSs/PLLK+ammU3YwgTeA3P9:ZzS8fznHC39G/PLLKU3YwgT

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 28 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe
    "C:\Users\Admin\AppData\Local\Temp\e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Users\Admin\piokuaf.exe
      "C:\Users\Admin\piokuaf.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1416
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4544

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\piokuaf.exe

      Filesize

      272KB

      MD5

      4e5cd7aab2d7865018ce6724740bcc80

      SHA1

      cc99b0c2a2d916dac2f7143dd981db82a4161222

      SHA256

      e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b

      SHA512

      12ddc638a7aec9b447355beb72af468741b56b20f4cf20cf03eb0ed7d14739c8c0f1c40d1dc710c2f3ff76f543020c0396288428c6cd152187ec94d4fc824033

    • C:\Users\Admin\piokuaf.exe

      Filesize

      272KB

      MD5

      4e5cd7aab2d7865018ce6724740bcc80

      SHA1

      cc99b0c2a2d916dac2f7143dd981db82a4161222

      SHA256

      e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b

      SHA512

      12ddc638a7aec9b447355beb72af468741b56b20f4cf20cf03eb0ed7d14739c8c0f1c40d1dc710c2f3ff76f543020c0396288428c6cd152187ec94d4fc824033