Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    160s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 22:05

General

  • Target

    d00b454a2a5992c5e7e56cd81d11a0b8332963845423675d26216e142a7dd1e8.exe

  • Size

    180KB

  • MD5

    c91bc5c6fc0858edaee653ecabc608ed

  • SHA1

    56bc9cf74143be1527085e4a84ab9f4647bf3ccd

  • SHA256

    d00b454a2a5992c5e7e56cd81d11a0b8332963845423675d26216e142a7dd1e8

  • SHA512

    52ca6f827630940d1476160929e7b3a57f6ca91c1fe66b638d57b1f4e339f3af55df49d305955251af59dd15cec6055e502428a728453c65c08410c3ae953e9b

  • SSDEEP

    3072:xHWqSC+y50cm1tnRd5GK/fObT/bGinhssp9nPVmvEfL2co3ZwURmkPiR/+5kS3h:gqSC+Lcm1Dd0K/fObT/bGihssp1VmvE4

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 54 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d00b454a2a5992c5e7e56cd81d11a0b8332963845423675d26216e142a7dd1e8.exe
    "C:\Users\Admin\AppData\Local\Temp\d00b454a2a5992c5e7e56cd81d11a0b8332963845423675d26216e142a7dd1e8.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3788
    • C:\Users\Admin\kkjauk.exe
      "C:\Users\Admin\kkjauk.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4436

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\kkjauk.exe

    Filesize

    180KB

    MD5

    d4e0521b817c627f6789a1b5bf68bca2

    SHA1

    2fed3b20264619216f27240669ec84368066f6ec

    SHA256

    a1d8775afc04e3dbb893fec7cef3b83609cd5d68c9cfc4153c33f5a64e0943ac

    SHA512

    c01d143a7dfd2e8ced46a3cfd0c4d0e70d880d51dfd643a377e13df2df232e77115d934304e31f5f60445af6ecd2da0c11b1aebd1c47b0e296c3305c8e29d59d

  • C:\Users\Admin\kkjauk.exe

    Filesize

    180KB

    MD5

    d4e0521b817c627f6789a1b5bf68bca2

    SHA1

    2fed3b20264619216f27240669ec84368066f6ec

    SHA256

    a1d8775afc04e3dbb893fec7cef3b83609cd5d68c9cfc4153c33f5a64e0943ac

    SHA512

    c01d143a7dfd2e8ced46a3cfd0c4d0e70d880d51dfd643a377e13df2df232e77115d934304e31f5f60445af6ecd2da0c11b1aebd1c47b0e296c3305c8e29d59d