Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    189s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 00:33

General

  • Target

    c5a6d62e7c1129eb0c9eea3f53dc21f7d6fb27ce17631a1a34cdedb2b843c5e7.exe

  • Size

    104KB

  • MD5

    4e328816077504a745143f9588464f10

  • SHA1

    9f556508031efc0aca1d37624db924ff25c35ec8

  • SHA256

    c5a6d62e7c1129eb0c9eea3f53dc21f7d6fb27ce17631a1a34cdedb2b843c5e7

  • SHA512

    18e31600641ffc5c2fe04cef02861cc6a48fdbf41411a5db828a7ef89cb912fc03663119c6c9410fd37ea4062da42fac835e31eb63898b1d1aa083afa4f12880

  • SSDEEP

    1536:3ohvr9fY7ieh6hC3KwTHlyHcw1rqVjSxakAyBGss7oJd:YhTlLehWwTHlyHBQNSxZs7

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5a6d62e7c1129eb0c9eea3f53dc21f7d6fb27ce17631a1a34cdedb2b843c5e7.exe
    "C:\Users\Admin\AppData\Local\Temp\c5a6d62e7c1129eb0c9eea3f53dc21f7d6fb27ce17631a1a34cdedb2b843c5e7.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\Users\Admin\daesao.exe
      "C:\Users\Admin\daesao.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4692

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\daesao.exe

    Filesize

    104KB

    MD5

    7bdfd681147225382929667e68926336

    SHA1

    4c9084e78a10d4a0ea58520e41ddf5b75aaf0743

    SHA256

    0904384db08c1747047b2defd1b3b92251eb275becd2264f9263510c0a83a438

    SHA512

    96992a3f3a6c455284dc0782b43c8a67c4ab0ae93d74b01c0eb4cd3afd40a82790f95c8d692d229828a109d549012e69542633b0e6603fa4db9ea31e7572bcbf

  • C:\Users\Admin\daesao.exe

    Filesize

    104KB

    MD5

    7bdfd681147225382929667e68926336

    SHA1

    4c9084e78a10d4a0ea58520e41ddf5b75aaf0743

    SHA256

    0904384db08c1747047b2defd1b3b92251eb275becd2264f9263510c0a83a438

    SHA512

    96992a3f3a6c455284dc0782b43c8a67c4ab0ae93d74b01c0eb4cd3afd40a82790f95c8d692d229828a109d549012e69542633b0e6603fa4db9ea31e7572bcbf