Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 16:38

General

  • Target

    6ed754dc985b98511d7e49d93a8c07457e6a5105d4b6c81f3fe6173124ea5097.exe

  • Size

    236KB

  • MD5

    bac33ce6e5d69f42eea788f6707223ac

  • SHA1

    36a706324a76bbcf4a1933219ac2bd1ade09f888

  • SHA256

    6ed754dc985b98511d7e49d93a8c07457e6a5105d4b6c81f3fe6173124ea5097

  • SHA512

    e72a72142786c75c220974becd80f9a3853234214874a7b4ae494e623716aac0f1a817a9040bd63de178999c255e09b8e710fbb2125622f536e796a58195a9a3

  • SSDEEP

    3072:V6VlhsJ0Z2svyMZeIT51B8u0gWCyiHCUPqgvs:jSZ2uyMwItf8u0gWCyiHCl

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ed754dc985b98511d7e49d93a8c07457e6a5105d4b6c81f3fe6173124ea5097.exe
    "C:\Users\Admin\AppData\Local\Temp\6ed754dc985b98511d7e49d93a8c07457e6a5105d4b6c81f3fe6173124ea5097.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:988
    • C:\Users\Admin\siezuor.exe
      "C:\Users\Admin\siezuor.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:5008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\siezuor.exe

    Filesize

    236KB

    MD5

    83a8e64b007e2bd29935ce7eeeac582d

    SHA1

    ae0089efead569447a2e08077ac0fc17a4e9ec8a

    SHA256

    2fc9c5ae2bc7432b13f9d7d0fd3c5bae1f0604f39a8bd1dd4847e1455fc77219

    SHA512

    ce4bd551bf14784dcd795292e760f0aa316af54de6b3a55ed240676c1790ed54c2ecf908f2f35cf05b59fa2fb8d9102ad2158878bc93a2e210accd0c56ec294d

  • C:\Users\Admin\siezuor.exe

    Filesize

    236KB

    MD5

    83a8e64b007e2bd29935ce7eeeac582d

    SHA1

    ae0089efead569447a2e08077ac0fc17a4e9ec8a

    SHA256

    2fc9c5ae2bc7432b13f9d7d0fd3c5bae1f0604f39a8bd1dd4847e1455fc77219

    SHA512

    ce4bd551bf14784dcd795292e760f0aa316af54de6b3a55ed240676c1790ed54c2ecf908f2f35cf05b59fa2fb8d9102ad2158878bc93a2e210accd0c56ec294d