Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 22:33

General

  • Target

    581c3ff98e057911dd93160b0463f2df708bb78f7a46cd7177ccc7c557e996e2.exe

  • Size

    248KB

  • MD5

    4f79437f9c6df0b3bd8f204e22db1f48

  • SHA1

    65b4365750e5a78ea72bff59d571013b0b7c880f

  • SHA256

    581c3ff98e057911dd93160b0463f2df708bb78f7a46cd7177ccc7c557e996e2

  • SHA512

    1413bb7b051f57197dfb904511aba6bea1e48014637c3e5b442198c6bfe7c02d3ef10d8ffb6d7f3f66972886e4f4e3dc8f443ba8f2b50525c03b5bd081ca5bf5

  • SSDEEP

    6144:TVdVQUyyUf9dgAVRKlqBiErIsKnPmb7/jWal+FfAje+5/RxoOsutOSD/uP39RWyJ:TVmyUf9DRKlqgErIsKnPmb7/jWa1e+5T

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 54 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\581c3ff98e057911dd93160b0463f2df708bb78f7a46cd7177ccc7c557e996e2.exe
    "C:\Users\Admin\AppData\Local\Temp\581c3ff98e057911dd93160b0463f2df708bb78f7a46cd7177ccc7c557e996e2.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Users\Admin\woiveod.exe
      "C:\Users\Admin\woiveod.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2680

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\woiveod.exe

    Filesize

    248KB

    MD5

    558459df5a23607499847166bc483968

    SHA1

    598fb6e8cb5fc9bfd62dcc2a13b90c5276436df2

    SHA256

    52b6fb4eba76c762c3fa9142090011cc370b50bcfa2010056e2b97a2e4c0b53d

    SHA512

    5a8430e279d5733a4b6c0cd73566b454504678239c8d267b0a0ae7e715694d8c003d8e872579e1e383b998254cd75b53a1d460cb3c236ed4c6923589b80f44ea

  • C:\Users\Admin\woiveod.exe

    Filesize

    248KB

    MD5

    558459df5a23607499847166bc483968

    SHA1

    598fb6e8cb5fc9bfd62dcc2a13b90c5276436df2

    SHA256

    52b6fb4eba76c762c3fa9142090011cc370b50bcfa2010056e2b97a2e4c0b53d

    SHA512

    5a8430e279d5733a4b6c0cd73566b454504678239c8d267b0a0ae7e715694d8c003d8e872579e1e383b998254cd75b53a1d460cb3c236ed4c6923589b80f44ea