Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    188s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 16:54

General

  • Target

    e306d22a41874c9e866d8d4d61b5d9cdf44362354060bea5d7b412ab81345d45.exe

  • Size

    140KB

  • MD5

    50bead83e8f0f59c754333c346ddc533

  • SHA1

    28b4e8740e7d3b3294ef07d122b3d924ffc159d3

  • SHA256

    e306d22a41874c9e866d8d4d61b5d9cdf44362354060bea5d7b412ab81345d45

  • SHA512

    ae28877ac35f0ba3651fa9a0ff3c46486afc2c7f80eba8ec7c80ceae5afea1d3790cde5256c2c8db96c34962045ba8e2f65a1964e736de6bad18f2629fd474fd

  • SSDEEP

    1536:Mu04r4SNyLV4Ji2+6wl4fAsyCsJ2AyJOSfNifNuzyW14oQ/hKeXsjEFiKuhu:fiCi2+6CXfCZAyJH1i1uzD4oQZiEkfhu

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e306d22a41874c9e866d8d4d61b5d9cdf44362354060bea5d7b412ab81345d45.exe
    "C:\Users\Admin\AppData\Local\Temp\e306d22a41874c9e866d8d4d61b5d9cdf44362354060bea5d7b412ab81345d45.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Users\Admin\puaarep.exe
      "C:\Users\Admin\puaarep.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3700

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\puaarep.exe

    Filesize

    140KB

    MD5

    73bc0e23823ef2e9506ec9e4573355c3

    SHA1

    59138ad372dc0513c051d5bce7343e7344a6f023

    SHA256

    697d19d935814a46b21f8919f7d7545e0ae8eaa552a882aca2300d99a494d98e

    SHA512

    213e1cfcba23f1b5efc0945079467edb855faacf96d1841a881dc82e2c063edf4d485099708f0e638cbf331f39848465399d314736d37af1793251e2288a626e

  • C:\Users\Admin\puaarep.exe

    Filesize

    140KB

    MD5

    73bc0e23823ef2e9506ec9e4573355c3

    SHA1

    59138ad372dc0513c051d5bce7343e7344a6f023

    SHA256

    697d19d935814a46b21f8919f7d7545e0ae8eaa552a882aca2300d99a494d98e

    SHA512

    213e1cfcba23f1b5efc0945079467edb855faacf96d1841a881dc82e2c063edf4d485099708f0e638cbf331f39848465399d314736d37af1793251e2288a626e