Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    172s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 23:37

General

  • Target

    0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6.exe

  • Size

    176KB

  • MD5

    10ccb9e857904b3d0e4eae778ba37e44

  • SHA1

    0088267f4d5d89114195dbcaff265f9affe76a42

  • SHA256

    0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6

  • SHA512

    8b3b8f6a47faa07304f703e9f866eceec487708cbb8c2b18311e5a7e0e049f33ab0cd7871790cdab63728b14519ae53bac21c4312a10201ccd33de89747a5b8c

  • SSDEEP

    3072:Wk4IcfpHlp1DbKcwjIU2aTObcpT/pHkEAbN/yK/fObT/bGiCV/COqoSQ3iBuAZds:b4PfpHlp1vKcwjIDaTObcZ/pHkMK/fOc

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9d62e0a060fbca14cc2ae0e831ae53fa39174e8e11fac9b0640bbae51b67d6.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4292
    • C:\Users\Admin\zuizi.exe
      "C:\Users\Admin\zuizi.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4800

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\zuizi.exe

    Filesize

    176KB

    MD5

    3e8b54d2670b875d191fc39a73fdee86

    SHA1

    bc8e2b561c870781110db3d470b2d8f24b26825d

    SHA256

    4a718cca5d43edcf9776b0e2a957a4863b3e253111d41fba4217e4835f99f5bc

    SHA512

    f6a12a58c3013168682fa63854d8bd48b01b8afa2164bfef6ec95c8493133600004e0f9a18665faf1190c2634ff1b1b9681551ce05875aaf8ff8d58ff913e88f

  • C:\Users\Admin\zuizi.exe

    Filesize

    176KB

    MD5

    3e8b54d2670b875d191fc39a73fdee86

    SHA1

    bc8e2b561c870781110db3d470b2d8f24b26825d

    SHA256

    4a718cca5d43edcf9776b0e2a957a4863b3e253111d41fba4217e4835f99f5bc

    SHA512

    f6a12a58c3013168682fa63854d8bd48b01b8afa2164bfef6ec95c8493133600004e0f9a18665faf1190c2634ff1b1b9681551ce05875aaf8ff8d58ff913e88f