Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/12/2022, 00:49
Static task
static1
Behavioral task
behavioral1
Sample
ad949729f2ea8716139567039aabd284db75b0ee839e325022fbfdb556c5fe4b.exe
Resource
win7-20221111-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
ad949729f2ea8716139567039aabd284db75b0ee839e325022fbfdb556c5fe4b.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ad949729f2ea8716139567039aabd284db75b0ee839e325022fbfdb556c5fe4b.exe
-
Size
111KB
-
MD5
00908632ea7dd0bbee337cfbcd770c50
-
SHA1
6ade76f7eaa1ce8e1d43fd5784d1ee2c4600e8ad
-
SHA256
ad949729f2ea8716139567039aabd284db75b0ee839e325022fbfdb556c5fe4b
-
SHA512
31fe8b0ccf44a63b6491e134fbfa4c7183b3dc8ddeae808e0523aab9a38194df113156e41f8b9d65b9dc49deb8ffcd0357d95583322f0f4eefd136e2c60d4604
-
SSDEEP
768:sduwfCcDlgcjlNqe9PP34DGltCJWx+7AppL4zG4dslM8lP+wgG0SXdkUr9AeXU7C:sdFrflR93lN+aLHM8WSXjyi
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yuepin.exe -
Executes dropped EXE 1 IoCs
pid Process 804 yuepin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ad949729f2ea8716139567039aabd284db75b0ee839e325022fbfdb556c5fe4b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ yuepin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuepin = "C:\\Users\\Admin\\yuepin.exe" yuepin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1792 4120 WerFault.exe 79 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe 804 yuepin.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4120 ad949729f2ea8716139567039aabd284db75b0ee839e325022fbfdb556c5fe4b.exe 804 yuepin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4120 wrote to memory of 804 4120 ad949729f2ea8716139567039aabd284db75b0ee839e325022fbfdb556c5fe4b.exe 80 PID 4120 wrote to memory of 804 4120 ad949729f2ea8716139567039aabd284db75b0ee839e325022fbfdb556c5fe4b.exe 80 PID 4120 wrote to memory of 804 4120 ad949729f2ea8716139567039aabd284db75b0ee839e325022fbfdb556c5fe4b.exe 80 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 1792 804 yuepin.exe 83 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 4120 804 yuepin.exe 79 PID 804 wrote to memory of 1792 804 yuepin.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad949729f2ea8716139567039aabd284db75b0ee839e325022fbfdb556c5fe4b.exe"C:\Users\Admin\AppData\Local\Temp\ad949729f2ea8716139567039aabd284db75b0ee839e325022fbfdb556c5fe4b.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Users\Admin\yuepin.exe"C:\Users\Admin\yuepin.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 15042⤵
- Program crash
PID:1792
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4120 -ip 41201⤵PID:4500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111KB
MD55581f953fdc4f054159b18d8e9838f8f
SHA1810befe2a55613f6fe23ca642fdafa161b653e8f
SHA256fedd538fca63ce543f89c615a2c6fee240a0a1499875e53896f382c577f8de08
SHA5127ec54e4276ced9d431ba9c67011c4f0846b7c4d8563b93934e91cc0465704132dbc6c78ea4aab3f8ed78836999c8bb9f28ed70f5956fa069849d567aa1f19959
-
Filesize
111KB
MD55581f953fdc4f054159b18d8e9838f8f
SHA1810befe2a55613f6fe23ca642fdafa161b653e8f
SHA256fedd538fca63ce543f89c615a2c6fee240a0a1499875e53896f382c577f8de08
SHA5127ec54e4276ced9d431ba9c67011c4f0846b7c4d8563b93934e91cc0465704132dbc6c78ea4aab3f8ed78836999c8bb9f28ed70f5956fa069849d567aa1f19959