Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 15:14
Static task
static1
Behavioral task
behavioral1
Sample
0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe
-
Size
212KB
-
MD5
0cdd1e423313376c9bf60e364716bfb0
-
SHA1
abf926def7f9d2bd6586c42f6110a06410b56dac
-
SHA256
0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7
-
SHA512
8575ab627212634f017ac6508f38e24a3ba8079e97c0f76e0b5675eba9c6947f2828228d26f5a9214be4e92be9ed2dadb9ecb51704b4827f14c9b3469bc7ffdf
-
SSDEEP
6144:dO2OG4GkabKnvmb7/D26s7olvW47imsG7CgHE9roWkw8e5SG:dOvP5abKnvmb7/D26l7jsGegHECRPG
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" niuvaa.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe -
Executes dropped EXE 1 IoCs
pid Process 1424 niuvaa.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /k" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /K" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /T" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /w" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /M" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /Z" niuvaa.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /v" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /W" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /S" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /P" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /G" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /Q" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /V" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /B" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /f" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /U" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /C" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /X" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /R" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /a" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /g" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /J" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /o" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /c" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /l" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /A" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /N" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /v" 0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /b" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /F" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /i" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /D" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /L" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /H" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /e" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /p" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /s" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /E" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /m" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /q" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /n" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /j" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /r" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /x" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /I" niuvaa.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /Y" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /d" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /y" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /O" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /u" niuvaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\niuvaa = "C:\\Users\\Admin\\niuvaa.exe /t" niuvaa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4692 0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe 4692 0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe 1424 niuvaa.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4692 0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe 1424 niuvaa.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4692 wrote to memory of 1424 4692 0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe 79 PID 4692 wrote to memory of 1424 4692 0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe 79 PID 4692 wrote to memory of 1424 4692 0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe"C:\Users\Admin\AppData\Local\Temp\0edcbb300e24c70e14717d0ea33ea46ed49636b70f9e1dde85bc75b652c683e7.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\niuvaa.exe"C:\Users\Admin\niuvaa.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1424
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD5acd37622ad3476cd9d331d99ac701f45
SHA1af7630ca79fa7e0bd4402dc663291177ff268455
SHA256d0ff837e6e6198b3db377d883ac4c0c6af37721c7d013cb392068f974e655ada
SHA512501a45c6d29d0441d52aa92d446a7d6f9769ea20d0dc1cabf491ed9de1cf5a30d04b30b68cc2d288b381b0b5ea1a97cfc43817cfcfe961a5aeace21a314f2f84
-
Filesize
212KB
MD5acd37622ad3476cd9d331d99ac701f45
SHA1af7630ca79fa7e0bd4402dc663291177ff268455
SHA256d0ff837e6e6198b3db377d883ac4c0c6af37721c7d013cb392068f974e655ada
SHA512501a45c6d29d0441d52aa92d446a7d6f9769ea20d0dc1cabf491ed9de1cf5a30d04b30b68cc2d288b381b0b5ea1a97cfc43817cfcfe961a5aeace21a314f2f84