Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
214s -
max time network
237s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02/12/2022, 00:22
Static task
static1
Behavioral task
behavioral1
Sample
a3b8da3b0aa1b3c826814dd34675d4711ebdaea548c6f0ab82f3f4fbf0118a7c.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a3b8da3b0aa1b3c826814dd34675d4711ebdaea548c6f0ab82f3f4fbf0118a7c.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
a3b8da3b0aa1b3c826814dd34675d4711ebdaea548c6f0ab82f3f4fbf0118a7c.exe
-
Size
240KB
-
MD5
3a64fb8501c0a0f95674f693d12732b3
-
SHA1
43aa89702e249652309cabd2a2b0486241af5d4b
-
SHA256
a3b8da3b0aa1b3c826814dd34675d4711ebdaea548c6f0ab82f3f4fbf0118a7c
-
SHA512
b74ddba9c3ad9faeec8b6c117f198a6da37e077409077b6cb64309ff765534564a498b42ef2d957a6f956bdde20a80fc5f0b3433ab5a9c4075bf3307b4f95e0e
-
SSDEEP
3072:+kNuT8j6VlpvBd90i/SmWKLi7CjFSivnfu3fbMdozt5cztt:+F0UGKGkFRKfeoztO
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" a3b8da3b0aa1b3c826814dd34675d4711ebdaea548c6f0ab82f3f4fbf0118a7c.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" taose.exe -
Executes dropped EXE 1 IoCs
pid Process 2900 taose.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation a3b8da3b0aa1b3c826814dd34675d4711ebdaea548c6f0ab82f3f4fbf0118a7c.exe -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /a" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /z" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /s" taose.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /w" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /t" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /y" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /u" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /j" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /f" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /k" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /i" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /b" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /n" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /o" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /r" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /p" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /v" taose.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ a3b8da3b0aa1b3c826814dd34675d4711ebdaea548c6f0ab82f3f4fbf0118a7c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /x" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /l" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /c" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /g" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /d" a3b8da3b0aa1b3c826814dd34675d4711ebdaea548c6f0ab82f3f4fbf0118a7c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /d" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /h" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /m" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /q" taose.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taose = "C:\\Users\\Admin\\taose.exe /e" taose.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 780 a3b8da3b0aa1b3c826814dd34675d4711ebdaea548c6f0ab82f3f4fbf0118a7c.exe 780 a3b8da3b0aa1b3c826814dd34675d4711ebdaea548c6f0ab82f3f4fbf0118a7c.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe 2900 taose.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 780 a3b8da3b0aa1b3c826814dd34675d4711ebdaea548c6f0ab82f3f4fbf0118a7c.exe 2900 taose.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 780 wrote to memory of 2900 780 a3b8da3b0aa1b3c826814dd34675d4711ebdaea548c6f0ab82f3f4fbf0118a7c.exe 79 PID 780 wrote to memory of 2900 780 a3b8da3b0aa1b3c826814dd34675d4711ebdaea548c6f0ab82f3f4fbf0118a7c.exe 79 PID 780 wrote to memory of 2900 780 a3b8da3b0aa1b3c826814dd34675d4711ebdaea548c6f0ab82f3f4fbf0118a7c.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3b8da3b0aa1b3c826814dd34675d4711ebdaea548c6f0ab82f3f4fbf0118a7c.exe"C:\Users\Admin\AppData\Local\Temp\a3b8da3b0aa1b3c826814dd34675d4711ebdaea548c6f0ab82f3f4fbf0118a7c.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\taose.exe"C:\Users\Admin\taose.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2900
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD578f032a51668d314b125bf8b3247642b
SHA188604a9247236c0015bcd8f2472ee62a505d2d87
SHA256cc107db165322c7f670e239ab15ef4a3759bb9cd4ea74265c906fd88bcc8a7c1
SHA5126ac3d1b5390f8f3d4826f0e91b0b597024b847f1976d5b1a1853de75c8ef26417dc1e7790d5b26349d3da25f039856086ed903b50d86d1f2e9f3b0ec0245262f
-
Filesize
240KB
MD578f032a51668d314b125bf8b3247642b
SHA188604a9247236c0015bcd8f2472ee62a505d2d87
SHA256cc107db165322c7f670e239ab15ef4a3759bb9cd4ea74265c906fd88bcc8a7c1
SHA5126ac3d1b5390f8f3d4826f0e91b0b597024b847f1976d5b1a1853de75c8ef26417dc1e7790d5b26349d3da25f039856086ed903b50d86d1f2e9f3b0ec0245262f