Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    153s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 22:17

General

  • Target

    af2303c29307324dc076f681a8cc14c290cd4fd508631e38b526f1c71db98379.exe

  • Size

    176KB

  • MD5

    66f1b0b357705bd1381699bf4fedd0d0

  • SHA1

    db1fb7ec1e2a0b156d6068247f56b92252a415f1

  • SHA256

    af2303c29307324dc076f681a8cc14c290cd4fd508631e38b526f1c71db98379

  • SHA512

    d63bea55b94dd5d2f04177d495ab28f57c01692c25b52a9691f57cc230d975f98f77f1258299f7deaed497224a1feed18a6186a27884f1d39976be6e191ba901

  • SSDEEP

    1536:o1DMqzt6IxKAOeoerdl/RgVQ7CpchirxJGOaJ+ibsBRLialOg2QQJYZV44PPSbbQ:IwRe/la27/WD7qaLYABl1VFAnd0

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af2303c29307324dc076f681a8cc14c290cd4fd508631e38b526f1c71db98379.exe
    "C:\Users\Admin\AppData\Local\Temp\af2303c29307324dc076f681a8cc14c290cd4fd508631e38b526f1c71db98379.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Users\Admin\peiyaef.exe
      "C:\Users\Admin\peiyaef.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4468

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\peiyaef.exe

    Filesize

    176KB

    MD5

    f22afc233d6da713f26a9cca4f175cf7

    SHA1

    5936b33f7029c83358561b0074da0f0f74b40d13

    SHA256

    623e059813ccb819cb8d6fc48c53cc838630201249c5d61f13ccaa17aef0c277

    SHA512

    1f087207bc79fad3e8be2ae2581baf4a51d32966a4ee3e9c24c1bd1842561fbdca9965a31a17315fc59d31505b356f4ab25082c987604839e11180f17048e9ed

  • C:\Users\Admin\peiyaef.exe

    Filesize

    176KB

    MD5

    f22afc233d6da713f26a9cca4f175cf7

    SHA1

    5936b33f7029c83358561b0074da0f0f74b40d13

    SHA256

    623e059813ccb819cb8d6fc48c53cc838630201249c5d61f13ccaa17aef0c277

    SHA512

    1f087207bc79fad3e8be2ae2581baf4a51d32966a4ee3e9c24c1bd1842561fbdca9965a31a17315fc59d31505b356f4ab25082c987604839e11180f17048e9ed