Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 23:49
Static task
static1
Behavioral task
behavioral1
Sample
2398a99d8766354950191ce026b6f8033c76b13492b6d60918ac877a52db37bf.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
2398a99d8766354950191ce026b6f8033c76b13492b6d60918ac877a52db37bf.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
2398a99d8766354950191ce026b6f8033c76b13492b6d60918ac877a52db37bf.exe
-
Size
264KB
-
MD5
fe731c79b7e8c7aa78295389bf6388f9
-
SHA1
588f8cfb72604bce9dc73a0ed8db91fbffe7d042
-
SHA256
2398a99d8766354950191ce026b6f8033c76b13492b6d60918ac877a52db37bf
-
SHA512
a240fb4a44c8ec8eb43b0d3ae7df259a6e21aef0076683e4f8994fe52259b626ce74c682377566430fccd1d4b5304fc30d752f6a13691dfb07adf10dfdc22c93
-
SSDEEP
3072:Gv3KfbT7o0CX1xZnMIYS3EQqG+vfK5SbwyMtvb0vOkuCE/H/MZpOSKemKmD:/Wnk+qG+vfK5Gwy+Yvwfa25D
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2398a99d8766354950191ce026b6f8033c76b13492b6d60918ac877a52db37bf.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tuoxu.exe -
Executes dropped EXE 1 IoCs
pid Process 3008 tuoxu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 2398a99d8766354950191ce026b6f8033c76b13492b6d60918ac877a52db37bf.exe -
Adds Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /m" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /y" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /b" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /p" 2398a99d8766354950191ce026b6f8033c76b13492b6d60918ac877a52db37bf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /w" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /k" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /c" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /f" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /q" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /u" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /d" tuoxu.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 2398a99d8766354950191ce026b6f8033c76b13492b6d60918ac877a52db37bf.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /h" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /l" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /a" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /g" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /p" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /v" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /t" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /s" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /i" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /e" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /x" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /o" tuoxu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoxu = "C:\\Users\\Admin\\tuoxu.exe /r" tuoxu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4628 2398a99d8766354950191ce026b6f8033c76b13492b6d60918ac877a52db37bf.exe 4628 2398a99d8766354950191ce026b6f8033c76b13492b6d60918ac877a52db37bf.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe 3008 tuoxu.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4628 2398a99d8766354950191ce026b6f8033c76b13492b6d60918ac877a52db37bf.exe 3008 tuoxu.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4628 wrote to memory of 3008 4628 2398a99d8766354950191ce026b6f8033c76b13492b6d60918ac877a52db37bf.exe 79 PID 4628 wrote to memory of 3008 4628 2398a99d8766354950191ce026b6f8033c76b13492b6d60918ac877a52db37bf.exe 79 PID 4628 wrote to memory of 3008 4628 2398a99d8766354950191ce026b6f8033c76b13492b6d60918ac877a52db37bf.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\2398a99d8766354950191ce026b6f8033c76b13492b6d60918ac877a52db37bf.exe"C:\Users\Admin\AppData\Local\Temp\2398a99d8766354950191ce026b6f8033c76b13492b6d60918ac877a52db37bf.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\tuoxu.exe"C:\Users\Admin\tuoxu.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3008
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5baf63f730932e8ad7dbbe8fe0ff6d020
SHA1f1679231ab69dfe34f7afe42b95fa40895102151
SHA256fdb133c5a88bb489f225986c27cfafaa8b362d65c6d56ceb7f4e04f34195c056
SHA512ac76ba855e3d18c0671cfcf223c93437ffe4c99107d2fb21bde794e15c2c85ce70ca444a78b7d97d6cb0c30b6b44d578dc81ccf650a7a589335c7d728bcfa7a4
-
Filesize
264KB
MD5baf63f730932e8ad7dbbe8fe0ff6d020
SHA1f1679231ab69dfe34f7afe42b95fa40895102151
SHA256fdb133c5a88bb489f225986c27cfafaa8b362d65c6d56ceb7f4e04f34195c056
SHA512ac76ba855e3d18c0671cfcf223c93437ffe4c99107d2fb21bde794e15c2c85ce70ca444a78b7d97d6cb0c30b6b44d578dc81ccf650a7a589335c7d728bcfa7a4