Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
32s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2022, 21:19
Static task
static1
Behavioral task
behavioral1
Sample
Shade UA/ShadeUA.exe
Resource
win10v2004-20220812-en
6 signatures
30 seconds
General
-
Target
Shade UA/ShadeUA.exe
-
Size
8.3MB
-
MD5
cd8ccfd9005253635e6758436a5379ec
-
SHA1
57108d2514d72af2d3202b29bf047d61cae36c61
-
SHA256
5f342f1acf20d3ae47125c126a5361c202988a8e753b7b9d4d57967808637361
-
SHA512
880b26589c36c930c8072034c4b1e190d7adba6a1e1948ccb3d65f8c779a1a2c5e0fe49b0d56d5274790de5763d719ecac979fb9bbc9a18b58d6b22d1760584d
-
SSDEEP
196608:i9TjuAcsDBhlucbbqolzvsc7k+UJNxtj8CEqqa:i9TjuAc0qoJhUXnYCi
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ShadeUA.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 676 ShadeUA.exe 676 ShadeUA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 676 ShadeUA.exe 676 ShadeUA.exe 676 ShadeUA.exe 676 ShadeUA.exe 676 ShadeUA.exe 676 ShadeUA.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 676 ShadeUA.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 676 wrote to memory of 1972 676 ShadeUA.exe 81 PID 676 wrote to memory of 1972 676 ShadeUA.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shade UA\ShadeUA.exe"C:\Users\Admin\AppData\Local\Temp\Shade UA\ShadeUA.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\System32\winver.exe"C:\Windows\System32\winver.exe"2⤵PID:1972
-