Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    178s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 19:21

General

  • Target

    4301f2da20e2192cb3a00112729b682ddcf25ea440bfc722c3bfb1c4374ddd6d.exe

  • Size

    312KB

  • MD5

    84d65de2ca814f876895c8f14b5da4ae

  • SHA1

    e370b58654dac7dc240ed5e9623ff23383978318

  • SHA256

    4301f2da20e2192cb3a00112729b682ddcf25ea440bfc722c3bfb1c4374ddd6d

  • SHA512

    f4f5df054712844b9319bce3d68aeb00e3a2bd62c49b3f4d66b3f0963c58aae976ecbc1b1c86cefe239c45678e808d45b324410083d461e0987d91c291aa4282

  • SSDEEP

    6144:MX7+TAvTlIpr1f+XqO5aOmSGFDbeOjLPmUagn:++UTlIB1f+55SpNPmU/n

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4301f2da20e2192cb3a00112729b682ddcf25ea440bfc722c3bfb1c4374ddd6d.exe
    "C:\Users\Admin\AppData\Local\Temp\4301f2da20e2192cb3a00112729b682ddcf25ea440bfc722c3bfb1c4374ddd6d.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Users\Admin\duegaod.exe
      "C:\Users\Admin\duegaod.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4300

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\duegaod.exe

    Filesize

    312KB

    MD5

    8a5b7fce4e5839e6a396ecf2c7ce47ab

    SHA1

    e0e0cad18d286282b5434e75a03b866c4a7968eb

    SHA256

    7647fad24a965fde602f64268f4610cf4c8700ae6a5fafa20b0b71efb1f2ff24

    SHA512

    115c0c8197e7b9f76da505bc58417be17ab366a5be5cacf550876f56f803f9b210d5c77289596a1ad89bea7b856e18e519e5dd9eb9e18e3de5747176a4dd840f

  • C:\Users\Admin\duegaod.exe

    Filesize

    312KB

    MD5

    8a5b7fce4e5839e6a396ecf2c7ce47ab

    SHA1

    e0e0cad18d286282b5434e75a03b866c4a7968eb

    SHA256

    7647fad24a965fde602f64268f4610cf4c8700ae6a5fafa20b0b71efb1f2ff24

    SHA512

    115c0c8197e7b9f76da505bc58417be17ab366a5be5cacf550876f56f803f9b210d5c77289596a1ad89bea7b856e18e519e5dd9eb9e18e3de5747176a4dd840f