Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
172s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 23:54
Static task
static1
Behavioral task
behavioral1
Sample
f1e1070f1d55dc02ca28c0c7cc2a6014603df0698c0267c2cab3656d7d660032.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
f1e1070f1d55dc02ca28c0c7cc2a6014603df0698c0267c2cab3656d7d660032.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f1e1070f1d55dc02ca28c0c7cc2a6014603df0698c0267c2cab3656d7d660032.exe
-
Size
192KB
-
MD5
937f9c35634e6a516eb98f0e207c3eb6
-
SHA1
6945bb23f1dcbbe337f17bf43690d8ae4b485abb
-
SHA256
f1e1070f1d55dc02ca28c0c7cc2a6014603df0698c0267c2cab3656d7d660032
-
SHA512
60714b3df6889d80d1805971500cc65102a27718f080c848c847a3fd25ff16a352910b37d6d0be0ae3b61fe44514465258380c756a14d04a42b69b1f57ad0d3c
-
SSDEEP
1536:hIHABQruHlTERgPRi4iti93MH9iV6MRfWzzp3BHReQbIYL2XoPLJB514R9/dJqiD:u2QraTHRi4itiSHXzp3uYTPLJOhD
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" f1e1070f1d55dc02ca28c0c7cc2a6014603df0698c0267c2cab3656d7d660032.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hoidaq.exe -
Executes dropped EXE 1 IoCs
pid Process 4868 hoidaq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation f1e1070f1d55dc02ca28c0c7cc2a6014603df0698c0267c2cab3656d7d660032.exe -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /b" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /e" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /h" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /l" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /t" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /s" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /x" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /a" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /i" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /s" f1e1070f1d55dc02ca28c0c7cc2a6014603df0698c0267c2cab3656d7d660032.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /n" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /d" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /r" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /o" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /p" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /q" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /c" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /m" hoidaq.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ f1e1070f1d55dc02ca28c0c7cc2a6014603df0698c0267c2cab3656d7d660032.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /g" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /z" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /k" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /u" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /f" hoidaq.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /j" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /w" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /y" hoidaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoidaq = "C:\\Users\\Admin\\hoidaq.exe /v" hoidaq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5064 f1e1070f1d55dc02ca28c0c7cc2a6014603df0698c0267c2cab3656d7d660032.exe 5064 f1e1070f1d55dc02ca28c0c7cc2a6014603df0698c0267c2cab3656d7d660032.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe 4868 hoidaq.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5064 f1e1070f1d55dc02ca28c0c7cc2a6014603df0698c0267c2cab3656d7d660032.exe 4868 hoidaq.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5064 wrote to memory of 4868 5064 f1e1070f1d55dc02ca28c0c7cc2a6014603df0698c0267c2cab3656d7d660032.exe 83 PID 5064 wrote to memory of 4868 5064 f1e1070f1d55dc02ca28c0c7cc2a6014603df0698c0267c2cab3656d7d660032.exe 83 PID 5064 wrote to memory of 4868 5064 f1e1070f1d55dc02ca28c0c7cc2a6014603df0698c0267c2cab3656d7d660032.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1e1070f1d55dc02ca28c0c7cc2a6014603df0698c0267c2cab3656d7d660032.exe"C:\Users\Admin\AppData\Local\Temp\f1e1070f1d55dc02ca28c0c7cc2a6014603df0698c0267c2cab3656d7d660032.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\hoidaq.exe"C:\Users\Admin\hoidaq.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4868
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5ab7a4b66e88a7669614ca1de9b7c6d7b
SHA141baff4ed12fda301aec36172440414e8ce2551e
SHA2569f1d3c7abab714ac983ae781153e976448e8d463da8500d62a665d5c20b803d0
SHA512582f851511c4860927611e58d2af99807701f831154e3421b893a65b6b7d2bf75f2225a876ecbbed15595e625b5c78f0cc95491dfd9c1cf245a0214541be5d09
-
Filesize
192KB
MD5ab7a4b66e88a7669614ca1de9b7c6d7b
SHA141baff4ed12fda301aec36172440414e8ce2551e
SHA2569f1d3c7abab714ac983ae781153e976448e8d463da8500d62a665d5c20b803d0
SHA512582f851511c4860927611e58d2af99807701f831154e3421b893a65b6b7d2bf75f2225a876ecbbed15595e625b5c78f0cc95491dfd9c1cf245a0214541be5d09