Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 19:40

General

  • Target

    d2780446747f193948833597b296accd2f5ba6032a91da382fb8507fe7859836.exe

  • Size

    80KB

  • MD5

    911f0485df4ebf942351c562e93034b1

  • SHA1

    1ff933fa431144c84b480de739ec5296223ed60b

  • SHA256

    d2780446747f193948833597b296accd2f5ba6032a91da382fb8507fe7859836

  • SHA512

    c234b89ec6c70baa0318421f7ebdcc43b78239a9a52abb164eb218d0b3bd45e3a25df004c7a25cdf1c96872fc2af5790f372e7ffa286319c1cb260bed02fccef

  • SSDEEP

    1536:Q0dqr86g7LWnICOqubrzocTzFJ0T72VpGT:J6dIVqgBTzFJ0T72aT

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2780446747f193948833597b296accd2f5ba6032a91da382fb8507fe7859836.exe
    "C:\Users\Admin\AppData\Local\Temp\d2780446747f193948833597b296accd2f5ba6032a91da382fb8507fe7859836.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:872
    • C:\Users\Admin\ceuitig.exe
      "C:\Users\Admin\ceuitig.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1476

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\ceuitig.exe

    Filesize

    80KB

    MD5

    34ca74098e239969e09e7873457f9a62

    SHA1

    062033aca4abc5f867d96868bf24181d8af106ac

    SHA256

    8a8558e77ca6a92d7c5027b479933fb5a7fb6f8ca8b3e635427e2c17ea5cd177

    SHA512

    97db2273acc8f4a65733d2f217d4d3db51ed1432f85533222624d7b93377ffb879d6e24bd17cb8c39519c19d3287a5825b9fb83668d468e1b336403a445a626e

  • C:\Users\Admin\ceuitig.exe

    Filesize

    80KB

    MD5

    34ca74098e239969e09e7873457f9a62

    SHA1

    062033aca4abc5f867d96868bf24181d8af106ac

    SHA256

    8a8558e77ca6a92d7c5027b479933fb5a7fb6f8ca8b3e635427e2c17ea5cd177

    SHA512

    97db2273acc8f4a65733d2f217d4d3db51ed1432f85533222624d7b93377ffb879d6e24bd17cb8c39519c19d3287a5825b9fb83668d468e1b336403a445a626e

  • memory/872-132-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/872-135-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/1476-141-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/1476-142-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB