Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

Shade UA/ShadeUA.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    32s
  • max time network
    34s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/11/2022, 21:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shade UA/ShadeUA.exe

  • Size

    8.3MB

  • MD5

    cd8ccfd9005253635e6758436a5379ec

  • SHA1

    57108d2514d72af2d3202b29bf047d61cae36c61

  • SHA256

    5f342f1acf20d3ae47125c126a5361c202988a8e753b7b9d4d57967808637361

  • SHA512

    880b26589c36c930c8072034c4b1e190d7adba6a1e1948ccb3d65f8c779a1a2c5e0fe49b0d56d5274790de5763d719ecac979fb9bbc9a18b58d6b22d1760584d

  • SSDEEP

    196608:i9TjuAcsDBhlucbbqolzvsc7k+UJNxtj8CEqqa:i9TjuAc0qoJhUXnYCi

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shade UA\ShadeUA.exe
    "C:\Users\Admin\AppData\Local\Temp\Shade UA\ShadeUA.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:676
    • C:\Windows\System32\winver.exe
      "C:\Windows\System32\winver.exe"
      2⤵
        PID:1972

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/676-132-0x00007FF620EC0000-0x00007FF621EA2000-memory.dmp

      Filesize

      15.9MB

      Download

    • memory/676-136-0x00007FF620EC0000-0x00007FF621EA2000-memory.dmp

      Filesize

      15.9MB

      Download

    • memory/676-138-0x00007FF620EC0000-0x00007FF621EA2000-memory.dmp

      Filesize

      15.9MB

      Download