Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 17:08
Static task
static1
Behavioral task
behavioral1
Sample
c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe
Resource
win10v2004-20221111-en
General
-
Target
c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe
-
Size
192KB
-
MD5
49a66d018b361cad503fb8c8a170ebd2
-
SHA1
c631df32bf1047b157648f3ec738633041f1016e
-
SHA256
c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc
-
SHA512
1a34efeda1e7ddd1dac8595584d9896777ff15fd0ea4982ca5d93f8506578bba44d02f2a24a154a922ef46d0be4a76100e1695bce5b6d240adec3948d0d181a1
-
SSDEEP
3072:rtrZuCWv2JQcFBKBJy6apbuD2VMbj1hlUyw/1obo:rzBWvUFIJlapu2V21r/Y
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" souzeul.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe -
Executes dropped EXE 1 IoCs
pid Process 4140 souzeul.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe -
Adds Run key to start application 2 TTPs 45 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /W" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /y" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /U" souzeul.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /a" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /z" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /F" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /B" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /r" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /M" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /p" souzeul.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /Z" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /w" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /C" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /D" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /G" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /m" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /Y" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /c" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /H" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /f" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /t" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /l" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /V" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /P" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /v" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /T" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /q" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /J" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /Q" c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /b" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /Q" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /j" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /L" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /k" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /E" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /o" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /u" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /R" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /n" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /I" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /x" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /d" souzeul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /e" souzeul.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2704 c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe 2704 c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe 4140 souzeul.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2704 c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe 4140 souzeul.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2704 wrote to memory of 4140 2704 c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe 86 PID 2704 wrote to memory of 4140 2704 c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe 86 PID 2704 wrote to memory of 4140 2704 c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe"C:\Users\Admin\AppData\Local\Temp\c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\souzeul.exe"C:\Users\Admin\souzeul.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4140
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD52ced7154d514e3f3af7efdc403d79084
SHA1ae03b54f431f311f4971a43564588b702daced4b
SHA256992ee5ba62db2aa50fd790b77921f99431dbc6c6fb44758505883139a63d7f76
SHA512907e4b52af292c33a37d45ebd0c988b84b2e49f65c6262362bdebf8a4766321e2684a4e8ddaf829bc08ce2fae5b3bd7f15a1c05e7e7fe6e6ed78301df9ad586d
-
Filesize
192KB
MD52ced7154d514e3f3af7efdc403d79084
SHA1ae03b54f431f311f4971a43564588b702daced4b
SHA256992ee5ba62db2aa50fd790b77921f99431dbc6c6fb44758505883139a63d7f76
SHA512907e4b52af292c33a37d45ebd0c988b84b2e49f65c6262362bdebf8a4766321e2684a4e8ddaf829bc08ce2fae5b3bd7f15a1c05e7e7fe6e6ed78301df9ad586d