Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 16:32
Static task
static1
Behavioral task
behavioral1
Sample
06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe
Resource
win7-20220901-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe
-
Size
260KB
-
MD5
851bfcaa840d8924eab1f269c08e2db0
-
SHA1
d5bee3ddc7a1f98d7f6bf70cd6c559cec1b4690a
-
SHA256
06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f
-
SHA512
3d58dcda88f0b3ffdf51defda5b53bb1639341978511159c63ee44b5160a477c60420a7da569a5913f63f9b8dc31baa9852055c8d70f7201dadc3a67c0911832
-
SSDEEP
1536:qk7YsdcFjfUXhXAXzXkkcUcks98kMEi76WpPUjHmwDrTO:37YS0ykcUcks98kMEfWJuHm0X
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" youifeg.exe -
Executes dropped EXE 1 IoCs
pid Process 4268 youifeg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ youifeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youifeg = "C:\\Users\\Admin\\youifeg.exe" youifeg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe 4268 youifeg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3536 06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe 4268 youifeg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3536 wrote to memory of 4268 3536 06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe 83 PID 3536 wrote to memory of 4268 3536 06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe 83 PID 3536 wrote to memory of 4268 3536 06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe 83 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82 PID 4268 wrote to memory of 3536 4268 youifeg.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe"C:\Users\Admin\AppData\Local\Temp\06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Admin\youifeg.exe"C:\Users\Admin\youifeg.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4268
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260KB
MD55377d977a0b22adf9077c1b2e829354d
SHA179f1a4b64ac3e5c4195511e0864d6349823746a9
SHA256453b13ec8af0442738ca8582a6ca11b89825a2d6dc56da0a84ad8bd3a6ddcc06
SHA51299eab32b82cf3a159be3b577d35575650aa3b2e30b9d448fc47a3b94e68b6ecf223ded919192e72fe697ee68bc6090dd09a08af2911395bc0df9a7b75e558456
-
Filesize
260KB
MD55377d977a0b22adf9077c1b2e829354d
SHA179f1a4b64ac3e5c4195511e0864d6349823746a9
SHA256453b13ec8af0442738ca8582a6ca11b89825a2d6dc56da0a84ad8bd3a6ddcc06
SHA51299eab32b82cf3a159be3b577d35575650aa3b2e30b9d448fc47a3b94e68b6ecf223ded919192e72fe697ee68bc6090dd09a08af2911395bc0df9a7b75e558456