Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
75s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24/11/2022, 00:29
Static task
static1
Behavioral task
behavioral1
Sample
c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe
Resource
win10v2004-20221111-en
General
-
Target
c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe
-
Size
63KB
-
MD5
08388dae31961f3b39cf876837571858
-
SHA1
476b940dec0bb73da2b44839b40110d468d35261
-
SHA256
c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69
-
SHA512
4d8e4dc7d9c8eebc79550c22f10f4eb69026cf37cb1e2e3b6f5809bf4bf0e89fb15c3d748ec97bc40a3446cc6752423250e33fb4a370da738204cd8d13932950
-
SSDEEP
768:TO0EWgIos/JdQm2iE8NUIu0oWsV1qaZIp/Bj7YcRpaSOovHYxtxdve:SLe92iEzGs1stvHYxtHG
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tuozo.exe -
Executes dropped EXE 1 IoCs
pid Process 1616 tuozo.exe -
Loads dropped DLL 2 IoCs
pid Process 1784 c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe 1784 c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ tuozo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuozo = "C:\\Users\\Admin\\tuozo.exe" tuozo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1616 tuozo.exe 1616 tuozo.exe 1616 tuozo.exe 1616 tuozo.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1784 c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe 1616 tuozo.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1784 wrote to memory of 1616 1784 c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe 28 PID 1784 wrote to memory of 1616 1784 c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe 28 PID 1784 wrote to memory of 1616 1784 c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe 28 PID 1784 wrote to memory of 1616 1784 c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe 28 PID 1616 wrote to memory of 1784 1616 tuozo.exe 16 PID 1616 wrote to memory of 1784 1616 tuozo.exe 16 PID 1616 wrote to memory of 1784 1616 tuozo.exe 16 PID 1616 wrote to memory of 1784 1616 tuozo.exe 16 PID 1616 wrote to memory of 1784 1616 tuozo.exe 16 PID 1616 wrote to memory of 1784 1616 tuozo.exe 16
Processes
-
C:\Users\Admin\AppData\Local\Temp\c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe"C:\Users\Admin\AppData\Local\Temp\c06f4e5289cde6fd5fd854a09c4d9688ccfbc9b10228ffc5744e1b514ef8ea69.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\tuozo.exe"C:\Users\Admin\tuozo.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5457eadf104708110627322cba4a5d2be
SHA1c73544da468cb187eea935beb9a59316eab08aec
SHA256821794b8ca0e56fcc4ebb0e169dc07e74ff9f73182324c57cb34694e85745934
SHA512bd298eb4fa3f2ac6b04ce97541c4c545676218117b3cd21eed72c2ad993d7bb7faf17361cbaa00d223e37fc0e712f8a9a104fa3610d1659e69d0db46760d6893
-
Filesize
63KB
MD5457eadf104708110627322cba4a5d2be
SHA1c73544da468cb187eea935beb9a59316eab08aec
SHA256821794b8ca0e56fcc4ebb0e169dc07e74ff9f73182324c57cb34694e85745934
SHA512bd298eb4fa3f2ac6b04ce97541c4c545676218117b3cd21eed72c2ad993d7bb7faf17361cbaa00d223e37fc0e712f8a9a104fa3610d1659e69d0db46760d6893
-
Filesize
63KB
MD5457eadf104708110627322cba4a5d2be
SHA1c73544da468cb187eea935beb9a59316eab08aec
SHA256821794b8ca0e56fcc4ebb0e169dc07e74ff9f73182324c57cb34694e85745934
SHA512bd298eb4fa3f2ac6b04ce97541c4c545676218117b3cd21eed72c2ad993d7bb7faf17361cbaa00d223e37fc0e712f8a9a104fa3610d1659e69d0db46760d6893
-
Filesize
63KB
MD5457eadf104708110627322cba4a5d2be
SHA1c73544da468cb187eea935beb9a59316eab08aec
SHA256821794b8ca0e56fcc4ebb0e169dc07e74ff9f73182324c57cb34694e85745934
SHA512bd298eb4fa3f2ac6b04ce97541c4c545676218117b3cd21eed72c2ad993d7bb7faf17361cbaa00d223e37fc0e712f8a9a104fa3610d1659e69d0db46760d6893