Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 22:13
Static task
static1
Behavioral task
behavioral1
Sample
e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe
Resource
win10v2004-20220901-en
General
-
Target
e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe
-
Size
272KB
-
MD5
4e5cd7aab2d7865018ce6724740bcc80
-
SHA1
cc99b0c2a2d916dac2f7143dd981db82a4161222
-
SHA256
e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b
-
SHA512
12ddc638a7aec9b447355beb72af468741b56b20f4cf20cf03eb0ed7d14739c8c0f1c40d1dc710c2f3ff76f543020c0396288428c6cd152187ec94d4fc824033
-
SSDEEP
3072:0jsxTNg91R0FvbVJznCRcy/hqF69MSs/PLLK+ammU3YwgTeA3P9:ZzS8fznHC39G/PLLKU3YwgT
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" piokuaf.exe -
Executes dropped EXE 1 IoCs
pid Process 1416 piokuaf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe -
Adds Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /q" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /p" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /s" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /k" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /d" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /c" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /l" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /x" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /e" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /g" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /b" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /v" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /f" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /z" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /r" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /h" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /t" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /i" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /w" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /o" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /a" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /n" piokuaf.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /m" piokuaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /u" piokuaf.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /s" e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piokuaf = "C:\\Users\\Admin\\piokuaf.exe /y" piokuaf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4060 e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe 4060 e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe 1416 piokuaf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4060 e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe 1416 piokuaf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4060 wrote to memory of 1416 4060 e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe 83 PID 4060 wrote to memory of 1416 4060 e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe 83 PID 4060 wrote to memory of 1416 4060 e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe"C:\Users\Admin\AppData\Local\Temp\e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\piokuaf.exe"C:\Users\Admin\piokuaf.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1416
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4544
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272KB
MD54e5cd7aab2d7865018ce6724740bcc80
SHA1cc99b0c2a2d916dac2f7143dd981db82a4161222
SHA256e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b
SHA51212ddc638a7aec9b447355beb72af468741b56b20f4cf20cf03eb0ed7d14739c8c0f1c40d1dc710c2f3ff76f543020c0396288428c6cd152187ec94d4fc824033
-
Filesize
272KB
MD54e5cd7aab2d7865018ce6724740bcc80
SHA1cc99b0c2a2d916dac2f7143dd981db82a4161222
SHA256e6173e325e953b4c723c2d48a8ad1e764e44ede3eefcaf54d5eea7c0eb6f052b
SHA51212ddc638a7aec9b447355beb72af468741b56b20f4cf20cf03eb0ed7d14739c8c0f1c40d1dc710c2f3ff76f543020c0396288428c6cd152187ec94d4fc824033