Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    187s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 23:44

General

  • Target

    d24d85b07338f42e59da1b8a03eed81056ce4f68c460c71bd4465df9c11a7d29.exe

  • Size

    132KB

  • MD5

    fc4daf2d5b9c139706cf3e54f44c013a

  • SHA1

    95ed9cec2908a5871a52db68bb49ecdb06ad2677

  • SHA256

    d24d85b07338f42e59da1b8a03eed81056ce4f68c460c71bd4465df9c11a7d29

  • SHA512

    7c7a646f0c46375548ddffde8053c4c48eda2aa0c03ff9fd002a0f34265785c1166cbe3d9f09b424acfedb7f44efe794c6e00a33fabca76a30da8c4f2b1e211f

  • SSDEEP

    1536:qDyYqKEyFqQpfEZYbvCPl+ogEQNkq0ZhEK4YWQb8wVHGN7ZZ7OMiCXxv1oFP:qDybyIQlaYmPkogEZqPkbve7p98P

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d24d85b07338f42e59da1b8a03eed81056ce4f68c460c71bd4465df9c11a7d29.exe
    "C:\Users\Admin\AppData\Local\Temp\d24d85b07338f42e59da1b8a03eed81056ce4f68c460c71bd4465df9c11a7d29.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5080
    • C:\Users\Admin\yqzoow.exe
      "C:\Users\Admin\yqzoow.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1620

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\yqzoow.exe

    Filesize

    132KB

    MD5

    1c6ab133717fd35ad4dcfb3a9e9cb75d

    SHA1

    9eade61efcee40f41f19b9bbd15ea2d794e18922

    SHA256

    041d05bbc7f4407443afb01f418a5bdaccc622faf37fd01e15dfcae629a882b6

    SHA512

    4c641aa7ed8c5e9b34022d4f753fcf4778c13d897270b78ee5afa04257dcfb2ca768897aa29bafed66fd588060fc71f7d4737971d158e35ed94ef187468f6fd8

  • C:\Users\Admin\yqzoow.exe

    Filesize

    132KB

    MD5

    1c6ab133717fd35ad4dcfb3a9e9cb75d

    SHA1

    9eade61efcee40f41f19b9bbd15ea2d794e18922

    SHA256

    041d05bbc7f4407443afb01f418a5bdaccc622faf37fd01e15dfcae629a882b6

    SHA512

    4c641aa7ed8c5e9b34022d4f753fcf4778c13d897270b78ee5afa04257dcfb2ca768897aa29bafed66fd588060fc71f7d4737971d158e35ed94ef187468f6fd8