Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2022, 02:40

General

  • Target

    cd2c90e134a064ae61b2abd899251440f9a373b3688b27639c49f25449b5f52a.exe

  • Size

    304KB

  • MD5

    63da5c277d57a134f48ded57cecec30a

  • SHA1

    b6ed7ab6bb2823e96488602235aae3817120019c

  • SHA256

    cd2c90e134a064ae61b2abd899251440f9a373b3688b27639c49f25449b5f52a

  • SHA512

    b9343a942be448ab896caaa4c6eb6509284d030e16245d3f54e1e88b81981bbd6dc9509a3f88ebee16e63ebf6c16b150c58948aa691d160e64ec9a7a18e17e26

  • SSDEEP

    3072:Gdf1i2Dwhe6YIRnbXtcU7DAzKqc+Fn1op2aEaDFHT+7pvPxvHU0:5xH7anxla8xv

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd2c90e134a064ae61b2abd899251440f9a373b3688b27639c49f25449b5f52a.exe
    "C:\Users\Admin\AppData\Local\Temp\cd2c90e134a064ae61b2abd899251440f9a373b3688b27639c49f25449b5f52a.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4424
    • C:\Users\Admin\vuieviw.exe
      "C:\Users\Admin\vuieviw.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2064

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\vuieviw.exe

    Filesize

    304KB

    MD5

    d521bacfdaf76de982819d83abf7d1cf

    SHA1

    1ff64c035a9d4b325b7192e9a1de3a6b42132e4c

    SHA256

    659275726e8d2526f596e0a5ce60d86b7aa903d8ea287d82e16ed7736745ede5

    SHA512

    ad34b0c96feb5027ab7e5f557fb9c707ff8a52225a149169df5817152b2e7d540fe48d2f6256d0c97bba148c3c109579a8ff52845a7e2348a9e163396e12fd12

  • C:\Users\Admin\vuieviw.exe

    Filesize

    304KB

    MD5

    d521bacfdaf76de982819d83abf7d1cf

    SHA1

    1ff64c035a9d4b325b7192e9a1de3a6b42132e4c

    SHA256

    659275726e8d2526f596e0a5ce60d86b7aa903d8ea287d82e16ed7736745ede5

    SHA512

    ad34b0c96feb5027ab7e5f557fb9c707ff8a52225a149169df5817152b2e7d540fe48d2f6256d0c97bba148c3c109579a8ff52845a7e2348a9e163396e12fd12